mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-17 19:09:11 +03:00
Dominic R
7bdbfade30
* website/docs: add Splunk event forwarding docs Add Splunk HEC event forwarding under system event docs and keep the Splunk integration guide focused on SAML. Closes: #22223 Agent-thread: https://sdko.org/internal/thr/ak/019ea8d4-d4e4-7fc3-b3b6-aa8a16bd8d40 A7k-product: product A7k-product-repo: 3 Co-authored-by: Agent <agent@svc.sdko.net> * website/docs: move Splunk event forwarding guide Move the Splunk event forwarding guide into integrations and add an Events log forwarding overview that links to it. Agent-thread: https://sdko.org/internal/thr/ak/019eb29e-1b34-7681-b887-e03907dac184 A7k-product: product A7k-product-repo: 3 Co-authored-by: Agent <agent@svc.sdko.net> * website/integrations: remove Splunk HEC port Use the generic splunk.company HEC endpoint in the Splunk event forwarding guide instead of hardcoding a deployment-specific port. Agent-thread: https://sdko.org/internal/thr/ak/019eb29e-1b34-7681-b887-e03907dac184 A7k-product: product A7k-product-repo: 3 Co-authored-by: Agent <agent@svc.sdko.net> * Update website/docs/sys-mgmt/events/log-forwarding.mdx Signed-off-by: Dewi Roberts <dewi@goauthentik.io> --------- Signed-off-by: Dewi Roberts <dewi@goauthentik.io> Co-authored-by: Agent <agent@svc.sdko.net> Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
22 lines
1.7 KiB
Plaintext
22 lines
1.7 KiB
Plaintext
---
|
|
title: Log forwarding
|
|
---
|
|
|
|
authentik records system, user, and admin activity as events. You can keep those events in authentik for investigation and audit workflows, or forward them to another system when you need longer retention, centralized search, alerting, or correlation with infrastructure and application logs.
|
|
|
|
## Forward all event logs
|
|
|
|
Every authentik event creation is written to the container logs at the `info` log level. To collect all events, forward the log output from all authentik containers to your logging platform. This is the recommended option when you want a complete copy of authentik events outside authentik.
|
|
|
|
When another system becomes the long-term event store, consider reducing authentik's internal event retention period in **System** > **Settings**. For example, set the retention period to `days=1` if authentik only needs to keep a short local buffer.
|
|
|
|
## Forward selected events
|
|
|
|
To send selected events to another system, create an event matcher policy, a notification transport, and a notification rule. This forwards only events that match the notification rule, which is useful for security alerts, high-value audit events, or integrations that should receive a narrower event stream.
|
|
|
|
Notification transports can send events locally, by email, or to a webhook. Webhook transports can be adapted to systems that accept HTTP event ingestion.
|
|
|
|
## Log forwarding integrations
|
|
|
|
For an example of integrating with a log forwarder, see [Forward events to Splunk Enterprise](/integrations/log-forwarding/splunk-enterprise/). That guide uses Splunk HTTP Event Collector (HEC), a generic webhook notification transport, and a notification rule to forward matching authentik events.
|