Export meshStack logs/events to an external tool
in progress
S
Shamil Radzhabov
Centralized log management can greatly enhance end-to-end visibility and the security stance by enabling the extraction of audit logs/events from meshStack for import into an external tool such as a SIEM system.
J
Johannes Rudolph
Update: meshEventLogs API v1-preview now available for log export
Thanks again for all the input and votes on this request. We’ve shipped the first core building block to make exporting meshStack logs/events into external tools possible.
We have introduced a new meshStack API endpoint that lets you programmatically read event logs (audit trail) from meshStack:
- Endpoint:GET /api/meshobjects/mesheventlogs
- Docs:https://docs.meshcloud.io/api/mesh-event-log-list/
- What it provides:A paged list of meshEventLogs, including actions and configuration changes across workspaces.
- Access control:Admins can access logs across workspaces, regular users can access logs for their own workspace.
- Filtering:Time range, event type, workspace, author, and text search on title/description.
This allows you to:
- Pull audit/event logs regularly and forward them into your SIEM or log management system (e.g. Splunk, Azure Sentinel) using your own integration or scripts.
- Backfill historic logs by iterating over time ranges.
This API is the first step of the SIEM/export story we outlined earlier.
Ongoing work on event logs themselves
In parallel to the API, we’re running a broader initiative around event logs. This ongoing work includes:
- Adding more events:Expanding coverage to additional meshObjects and actions, especially security- and governance-relevant changes (e.g. role bindings, user lifecycle, configuration and policy changes).
- Improving event quality:Refining event payloads so that “who did what when” is clearer and more useful for downstream analysis in SIEM and compliance reports.
- Hardening for export:Reviewing event structures and metadata with SIEM/export use cases in mind so we expose a stable model.
All of this work automatically shows up via the
meshEventLogs
API as we roll it out, so integrations you build now will benefit from the richer and more consistent event data set over time.Next steps and feedback
As this API is in preview we’d really appreciate your input on:
- The most critical events and fields you rely on.
- Any pain points you encounter while using the meshEventLogsAPI (missing filters or attributes, performance, pagination, etc.).
Please comment here or reach out to our customer success team or support@meshcloud.io so we can feed this directly into the ongoing work on event logs API.
J
Johannes Rudolph
Update: meshEventLogs API v1-preview now available for log export
Thanks again for all the input and votes on this request. We’ve shipped the first core building block to make exporting meshStack logs/events into external tools possible.
We have introduced a new meshStack API endpoint that lets you programmatically read event logs (audit trail) from meshStack:
- Endpoint:GET /api/meshobjects/mesheventlogs
- Docs:https://docs.meshcloud.io/api/mesh-event-log-list/
- What it provides:A paged list of meshEventLogs, including actions and configuration changes across workspaces.
- Access control:Admins can access logs across workspaces, regular users can access logs for their own workspace.
- Filtering:Time range, event type, workspace, author, and text search on title/description.
This allows you to:
- Pull audit/event logs regularly and forward them into your SIEM or log management system (e.g. Splunk, Azure Sentinel) using your own integration or scripts.
- Backfill historic logs by iterating over time ranges.
This API is the first step of the SIEM/export story we outlined earlier.
Ongoing work on event logs themselves
In parallel to the API, we’re running a broader initiative around event logs. This ongoing work includes:
- Adding more events:Expanding coverage to additional meshObjects and actions, especially security- and governance-relevant changes (e.g. role bindings, user lifecycle, configuration and policy changes).
- Improving event quality:Refining event payloads so that “who did what when” is clearer and more useful for downstream analysis in SIEM and compliance reports.
- Hardening for export:Reviewing event structures and metadata with SIEM/export use cases in mind so we expose a stable model.
All of this work automatically shows up via the
meshEventLogs
API as we roll it out, so integrations you build now will benefit from the richer and more consistent event data set over time.Next steps and feedback
As this API is in preview we’d really appreciate your input on:
- The most critical events and fields you rely on.
- Any pain points you encounter while using the meshEventLogsAPI (missing filters or attributes, performance, pagination, etc.).
Please comment here or reach out to our customer success team or support@meshcloud.io so we can feed this directly into the ongoing work on event logs API.
J
Johannes Rudolph
marked this post as
in progress
J
Johannes Rudolph
marked this post as
planned
Hey everyone who has voted on this feature, we intend to tackle this in our next cycle. We're still looking forward to hearing any feedback you'd like us to consider specifically as we implement this.
J
Johannes Rudolph
marked this post as
under review
Thank you for voting on this feature. I want to give you an update on our current perspective on this topic and ask for you to provide us your feedback (public or private).
Audit log exporting to SIEM systems has been available to customers using meshStack on-premise with custom solutions at the deployment but we understand the need to enable this for meshStack SaaS customers in an easy-to-use and standard fashion.
We aim to support easy standard integration with standard enterprise SIEM solutions like Splunk or Azure Sentinel using standard ingestion mechanisms.
We have identified three different technical options
- meshStack API to read logs
- batch export to storage bucket
- webhook delivery
Our current plan is to begin work in this area by providing an API first. This is the most versatile option and most importantly it allows backfilling historic audit logs. On top of the API our customer success team would then provide an open source reference solution that exports these logs into a storage bucket. This option can be adapted to custom needs (e.g. S3, Azure Storage etc.) or even direct delivery into Azure Event Hub.
In terms of Events we'd first focus on security relevant events (role binding changes, user events).
We are still planning and collecting customer feedback in this area, but our current plan is to provide a first iteration on a solution by end of 2025.
Polina Sadykova
Thank you! That's a fantastic idea. The more votes we gather, the faster we can move forward with it.