Documentation Index
Fetch the complete documentation index at: https://docs.logfleet.io/llms.txt
Use this file to discover all available pages before exploring further.
Beta Transparency. LogFleet is in active development. This page documents our current security posture and planned improvements. We believe in being honest about where we are.
Security Philosophy
LogFleet’s edge-first architecture is inherently more secure than cloud-first alternatives:
- Data stays local by default - Logs never leave your network unless you explicitly enable streaming
- Minimal attack surface - Only metrics (not raw logs) ship to cloud in normal operation
- Zero-trust networking - Tailscale mesh for remote access, no exposed ports
Current Security Features
Authentication
| Feature | Status | Notes |
|---|
| JWT-based authentication | [x] Implemented | RS256 signing, 24h expiry |
| API key authentication | [x] Implemented | For edge agents |
| Password requirements | [x] Implemented | 12+ chars, complexity rules |
| Rate limiting | [x] Implemented | Per-IP and per-user limits |
| Session management | [x] Implemented | Secure token handling |
Data Protection
| Feature | Status | Notes |
|---|
| TLS in transit | [x] Required | All API endpoints HTTPS-only |
| Encryption at rest | [!] Infrastructure-dependent | Use encrypted volumes |
| Log data isolation | [x] By design | Logs stay on edge devices |
| Multi-tenancy | [x] Implemented | Organization-level isolation |
Network Security
| Feature | Status | Notes |
|---|
| No inbound ports required | [x] By design | Agent initiates connections |
| Tailscale integration | [x] Supported | Zero-trust remote access |
| Firewall-friendly | [x] By design | Outbound HTTPS only |
Edge Agent Security
The edge agent runs in your infrastructure. Here’s how we secure it:
Container Security
# Recommended security context for Kubernetes
securityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
Minimal Permissions
The edge agent needs:
- Read access to log files you configure
- Network access to LogFleet API (outbound HTTPS)
- Disk access for local buffering (configurable path)
It does not need:
- Root privileges
- Inbound network access
- Access to other containers or host resources
API Key Scoping
Edge agent API keys are scoped to specific permissions:
{
"permissions": [
"edge:register", // Register this agent
"edge:heartbeat", // Send heartbeats
"edge:metrics", // Push metrics
"edge:stream" // Stream logs (when enabled)
]
}
Create separate API keys for each edge location. Revoke compromised keys without affecting other locations.
Infrastructure
| Component | Provider | Security |
|---|
| API hosting | AWS | VPC, security groups, WAF |
| Database | PostgreSQL | Encrypted, private subnet |
| Secrets | AWS Secrets Manager | Automatic rotation |
| Monitoring | Internal | No third-party analytics |
Data Handling
- Metrics only: Cloud stores aggregated metrics, not raw logs
- Retention: Configurable per organization
- Deletion: Full data deletion available on request
- Backups: Encrypted, same-region storage
What We’re Working On
These features are planned but not yet implemented. We’re listing them for transparency, not as promises.
Planned Security Enhancements
| Feature | Priority | Target |
|---|
| SOC 2 Type II | High | 2025 |
| SSO/SAML integration | High | Q2 2025 |
| Audit logging | Medium | Q1 2025 |
| Role-based access control | Medium | Q2 2025 |
| IP allowlisting | Low | Q3 2025 |
| Hardware key support (WebAuthn) | Low | Q3 2025 |
Compliance Roadmap
| Standard | Status | Notes |
|---|
| GDPR | [x] Architecture supports | Data residency by design |
| SOC 2 | [o] In progress | Type I planned 2025 |
| HIPAA | [~] Planned | BAA available on Enterprise |
| ISO 27001 | [~] Future | Post-SOC 2 |
Security Best Practices
For Edge Deployments
- Use dedicated API keys - One per location, with minimum required permissions
- Enable disk encryption - Protect buffered logs at rest
- Restrict network egress - Only allow traffic to LogFleet API endpoints
- Monitor agent health - Set up alerts for missed heartbeats
- Update regularly - We release security patches as needed
For Cloud Usage
- Use strong passwords - We enforce requirements, but longer is better
- Rotate API keys - Especially for production environments
- Review access regularly - Remove unused accounts
- Monitor unusual activity - Check dashboard for unexpected patterns
Vulnerability Reporting
Found a security issue? We take this seriously.
Email: security@logfleet.io
What to include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Your contact information (optional)
Our commitment:
- Acknowledge within 48 hours
- Provide status update within 7 days
- Credit reporters in our changelog (if desired)
We don’t currently have a formal bug bounty program, but we appreciate and acknowledge responsible disclosure.
Questions?
Security is a journey, not a destination. If you have questions about our security posture or need specific compliance documentation:
