Processing Airlock IAM log output

The following picture gives a conceptual overview of the logging and reporting pipeline.

  • The logging mechanism in Airlock IAM supports multiple different use case scenarios:
  • Docker – customers that want to integrate log output into docker environments may use JSON formatted log output on standard output. This is the default setup when deploying a new IAM instance in a docker environment. See also IAM as Docker image.
  • SIEM (Security Information and Event Management) – customers with SIEM infrastructure in place may use JSON formatted log output written to the file system and process these log files with a log agent of data collector of their choice. This is the default when deploying a new IAM instance as an SCA. More information may be found here: Custom log agent/data collector.
  • Standalone – customers that prefer to build a standalone logging solution may use the Elasticsearch log connector built into Airlock IAM. More information on this setup may be found here: Reporting with Elasticsearch and Kibana.
  • Backward compatible – customers who do not plan to migrate to the new logging option may continue to use the old style logging format.

Note that Airlock IAM by design, uses the logging to the file system for SIEM integration and standalone deployments. The file system is used as a caching mechanism. This ensures that in case of failures later in the pipeline, log messages are cached until the problem is resolved. 

To configure the logging component of Airlock IAM see: Logging configuration.