Light Dark Auto

Audit Logs

Event auditing

How does event auditing work?

Individual Service

At the level of the individual service, event auditing works as follows:

  1. One proxy collects all metrics that happen on the individual service.
  2. At the Edge, they extract the PKI/cert.
  3. The user that has accessed the service from outside Fabric is then decomposed based on one of the observable fields emitted by the Sidecar proxy.
  4. This information, coupled with IP address information from the originating request, is added to the stack of the xForwardedForIp information.


At the service-to-service level, the sidecar tracks service-to-service calls within Fabric. This enables architecture inference and service dependency observation.

Observable Indexer also has an observable indexer which can capture geolocation info and move it into Elasticsearch. Customizable event mappings are also available. These can be tailored per individual route so that a POST request may result in an EventAccess event in one route, while resulting in EventCreate on another.