Logging all activity for ingestion in SIEM

jeanm · March 24, 2026, 12:30pm

Hello,

The audit module that we are running records actions made by users, but currently fails to display critical actions such as creating, modifying or deleting users, groups, roles, etc.

I say “critical” because our cybersecurity unit wants to ingest in their SIEM logs of all actions taken, and design scenarios to detect suspicious activity.

Would anyone have heard of a solution to this obligation of tracing all activity on Icinga (including users and api, Director and icinga2)?

Thank you,

Jean

moreamazingnick · March 24, 2026, 1:13pm

Icinga director has audit settings, but they need to be enabled.

For the Roles there is currently no Audit but it seams reasonable to have this.

This however needs to be implemented in IcingaWeb2 so that would be a FeatureRequest on GitHub.

jeanm · March 24, 2026, 1:53pm

Thanks a lot, Nicolas! I had overlooked the audit log of Director.

I will submit an enhancement request on GitHub.