Processing Airlock IAM log output

The following picture gives a conceptual overview of the logging and reporting pipeline.


The logging mechanism in Airlock IAM supports multiple different use case scenarios:

  • Docker: customers that want to integrate log output into docker environments may use JSON formatted log output on standard output. This is the default setup when deploying a new IAM instance in a docker environment. For more details see: 
  • SIEM: customers that already have a SIEM infrastructure in place may use JSON formatted log output written to the file system and process these log files with a log agent of data collector of their choice. This is the default when deploying a new IAM instance as an SCA. More information may be found here: 
  • Standalone: customers that prefer to build a standalone logging solution may use the Elasticsearch log connector built into Airlock IAM. More information on this setup may be found here: 
  • Backward compatible: customers do not plan to migrate to the new logging option may continue to use the old style format of logging.

Note that Airlock IAM by design uses the logging to the file system for SIEM integration and standalone deployments. The file system is used as a caching mechanism. This ensures that in case of failures later in the pipeline, log messages are cached until the problem is resolved. 

To configure the logging component of Airlock IAM see: Logging configuration.