Skip to main content
Glean collects a large set of logs. These logs capture details that are both for internal purposes for Glean to function and also logs that the customer is able to export to SIEMs for security monitoring. Glean leverages a combination of AWS CloudWatch log groups and S3 buckets to store and process logs. All of these logs reside within the customer’s AWS account and can be inspected by the customer at any time.
AWS access to the Glean environment should be as limited as possible. S3 and CloudWatch can store sensitive data and access to these resources should be restricted. Additionally, access to mutate IAM permissions within the Glean account should also be extremely limited.

Audit Log

All audit logs related to Glean itself are stored in the audit-log CloudWatch log group. This log group is one that customers should integrate with their SIEM to perform alerting and overall analysis on user activity that takes place on the Glean platform. Because this is a CloudWatch log group, customers can use any AWS native tools or AWS native SIEM ingestion mechanisms to obtain the logs.

Sensitive Logs

Glean stores a number of logs that may be deemed sensitive. These are logs that should not leave the Glean environment. Glean provides a report in both JSON and Markdown formats outlining the CloudWatch Log Groups and S3 buckets that contain sensitive and non-sensitive data. To obtain this report, you will need AWS credentials from the Glean AWS account to pull contents from the glean-terraform-deploy-packages S3 bucket. It is packaged in a zip file that contains the full terraform deployable that we package Glean in. Here is how to grab it: 
# ... Run this with AWS credentials for your Glean AWS account ...

# Get the latest stable release version:
RELEASE_VERSION=$(aws secretsmanager get-secret-value \
  --secret-id arn:aws:secretsmanager:us-east-1:518642952506:secret:glean-stable-external-release-version-e1R7Yq \
  --region us-east-1 \
  --query 'SecretString' \
  --output text)

# Fetch the zipped release notes:
aws s3 cp s3://glean-terraform-deploy-packages/full_terraform_deploy_${RELEASE_VERSION}.zip .
After you unzip the file, the report will be available in:
  1. CloudWatch:
    • Markdown: terraform/glean.com/docs/aws/glean_cloudwatch_logging_resources.md
    • JSON: terraform/glean.com/docs/aws/glean_cloudwatch_logging_resources/cloudwatch_log_group_sensitivity.json
  2. S3:
    • Markdown: terraform/glean.com/docs/aws/glean_s3_resources.md
    • JSON: terraform/glean.com/docs/aws/glean_cloudwatch_logging_resources/s3_sensitivity.json
The JSON file is useful if you want to automate log collection for non-sensitive resources.