Work with audit logs

ArcGIS Enterprise on Kubernetes records user activity and system changes to audit logs. Audit logs are an important tool for monitoring and troubleshooting critical changes. With audit logs, you can identify the organization members or processes that made the critical changes, their effects on the system, and the time those events occurred.

Audit logs can be processed by Security Information and Event Management (SIEM) tools to generate an audit trail, track trends in user activity, and monitor and address any security threats or vulnerabilities.

Audit log events

Audit logs capture information for the following events:

• Accessing the organization portal site
• Creating, deleting, updating, and disabling member accounts
• Creating and updating user roles
• Adding and configuring groups
• Adding and removing members from a group
• Sharing items
• Changing item ownership
• Adding, updating, moving, and deleting items

View and capture audit logs

Audit events generated by ArcGIS Enterprise on Kubernetes are written to the standard output (stdout) streams of containers. Kubernetes temporarily retains these streams on cluster nodes. For long‑term retention and analysis, configure a log aggregation solution, such as a log collector or a Security Information and Event Management (SIEM) system, to ingest and store audit events.

Caution:

Without log collection or SIEM integration, audit logs will only be available while containers are running and may be lost when pods are restarted, rescheduled, or removed.

Fluent Bit containers running in the arcgis namespace collect the audit logs generated by ArcGIS Enterprise on Kubernetes. To view audit events for troubleshooting or validation, you can manually retrieve them using the following command example:

kubectl get pods -n arcgis --no-headers \
| awk '{print $1}' \
| while read pod; do
    kubectl logs -n arcgis "$pod" -c fluent-bit --ignore-errors 2>/dev/null
  done \
| grep -i audit