Currently, the following types of logs can be forwarded:
- Operational and error logs: Indicium error logs
- Telemetry logs: Azure Application Insights
However, it is not currently possible to forward security and audit logs generated by IAM to an external log collector.
To enable automated auditing of user actions within the Thinkwise Platform, there should be an option to forward these audit logs to an external log collector for centralised and automated analysis, such as a SIEM.
At a minimum, the logs must include:
- Timestamp (UTC)
- Actor (who performed the action)
- Action (what was done)
- Source (where the action originated)
- Outcome (success, failure, denial, etc.)
Without these fields, a SIEM cannot reliably correlate events. Additional contextual information may be included where relevant, but sensitive data or secrets must never be logged.
As a transport mechanism, syslog is commonly used for forwarding security and audit logs and could serve as a practical starting point for this capability, either in structured (e.g. JSON) or standardised formats.
