Stream all AuditEvents within a group to SIEM

Problem to solve

As a Security Operations Engineer I want to be able to create rules and alerts for sensitive actions within my organisation and use other tools available in my Security Information and Event Management (SIEM) system to identify malicious behaviour.

Currently is possible to scrape the AuditEvents for groups or projects, but it is not possible to get all AuditEvents for nested groups and projects from a single source. For large organisations scraping each project becomes unworkable and cause significant network overhead.

Intended users

• Alex (Security Operations Engineer)

Proposal

Allow configuration of AuditEvent log exporters at group and project levels. All AuditEvents within a group should be included.

Log shipping using Fluentd, CEF and Syslog.

What does success look like, and how can we measure that?

Ability to configure GitLab projects to forward all AuditEvents to a log aggregator and start alerting on events in Azure Sentinel or alternative SIEM.