Skip to content

cloud: update logpush docs #1267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 17, 2025
Merged

cloud: update logpush docs #1267

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 4 additions & 5 deletions docs/cloud/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,8 +154,7 @@ To learn more about how the Sourcegraph team operates managed SMTP internally, r

### Audit Logs

Our Cloud instances provide [audit logs](/admin/audit_log#cloud) to help you monitor and investigate actions taken by users and the system. These logs are available to download by request and are also sent to a [centralized logging service](https://about.sourcegraph.com/security#logging) for 30 day retention. Should you wish to
extend this period, please be aware that additional charges will apply.
Our Cloud instances provide [audit logs](/admin/audit_log#cloud) to help you monitor and investigate actions taken by users and the system. These logs are available to download by request and are also sent to a [centralized logging service](https://about.sourcegraph.com/security#logging) for 30 day retention. Should you wish to extend this period, please be aware that additional charges will apply.
To request an extension, please contact your assigned Customer Engineer (CE) or send an email to Sourcegraph Support at [email protected].

#### Download audit logs
Expand All @@ -164,12 +163,12 @@ For requesting audit logs, please contact your our support team.

#### Deliver audit logs to customer-managed destination (LogPush)

Sourcegraph LogPush is an optional add-on to deliver audit logs to a customer provided destination. To enable this feature, please contact your assigned Customer Engineer (CE) or support team.
Sourcegraph LogPush is an optional add-on to deliver audit logs to a customer provided destination. To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the setup instructions for your destination.

Supported destinations:

- Google Cloud Storage (GCS)
- Amazon S3 (AWS)
- [Google Cloud Storage (GCS)](./logpush_gcs)
- [Amazon Web Services S3 (AWS)](./logpush_s3)

## Requirements

Expand Down
20 changes: 20 additions & 0 deletions docs/cloud/logpush_gcs.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# LogPush for Google Cloud Storage (GCS)

## Overview

Our services will periodically push audit logs to customer-managed GCS bucket. Authentication and authorization are securely handled by GCP IAM service.

## Steps

To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the specific instruction. Below is a high level overview of the steps.

- Sourcegraph provides below information to customer:
- email of a Sourcegraph-owned GCP Service Account (GSA)
- a unique file to prove bucket ownership
- Customer to perform the following:
- creates a GCS bucket
- grants the Sourcegraph-owned GSA sufficient IAM roles to access the bucket
- uploads the ownership file to prove bucket ownership
- Customer to inform Sourcegraph of the bucket name

Once completed, Sourcegraph will complete the LogPush configuration and start sending logs to the customer-managed GCS bucket.
31 changes: 31 additions & 0 deletions docs/cloud/logpush_s3.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# LogPush for Amazon S3 (AWS)

## Overview

Our services will periodically push audit logs to customer-managed AWS S3 bucket. Authentication and authorization are securely handled by AWS Security Token Service with an explicit trust relationship between Sourcegraph-owned GCP identity (GCP Service Account) and the customer-managed AWS S3 bucket.

## Steps

To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the specific instruction. Below is a high level overview of the steps.

- Sourcegraph provides below information to customer:
- GCP identity (GCP Service Account)
- a unique file to prove bucket ownership
- Customer to perform the following:
- creates a S3 bucket
- configures the trust relationship with AWS IAM
- uploads the ownership file to prove bucket ownership
- Customer to inform Sourcegraph of the S3 bucket ARN and the AWS IAM role ARN

Once completed, Sourcegraph will complete the LogPush configuration and start sending logs to the customer-managed S3 bucket.

## FAQ

### How does the authentication work?

Sourcegraph will provide instructions on how to configure the trust relationship between the Sourcegraph-owned GCP identity (GCP Service Account) and the customer-managed AWS S3 bucket. We will also provide the example configuration in Terraform. At a high level:

- Customer creates a AWS IAM role:
- with a policy to permit such role to access the S3 bucket
- with a policy to permit the Sourcegraph-owned GSA to assume such role
- Sourcegraph assumes the provisioned AWS IAM role to access the bucket