Beta Transparency. LogFleet is in active development. This page documents our current security posture and planned improvements. We believe in being honest about where we are.
Security Philosophy
LogFleet’s edge-first architecture is inherently more secure than cloud-first alternatives:
- Data stays local by default - Logs never leave your network unless you explicitly enable streaming
- Minimal attack surface - Only metrics (not raw logs) ship to cloud in normal operation
- Zero-trust networking - Tailscale mesh for remote access, no exposed ports
Current Security Features
Authentication
| Feature | Status | Notes |
|---|
| JWT-based authentication | [x] Implemented | RS256 signing, 24h expiry |
| API key authentication | [x] Implemented | For edge agents |
| Password requirements | [x] Implemented | 12+ chars, complexity rules |
| Rate limiting | [x] Implemented | Per-IP and per-user limits |
| Session management | [x] Implemented | Secure token handling |
Data Protection
| Feature | Status | Notes |
|---|
| TLS in transit | [x] Required | All API endpoints HTTPS-only |
| Encryption at rest | [!] Infrastructure-dependent | Use encrypted volumes |
| Log data isolation | [x] By design | Logs stay on edge devices |
| Multi-tenancy | [x] Implemented | Organization-level isolation |
Network Security
| Feature | Status | Notes |
|---|
| No inbound ports required | [x] By design | Agent initiates connections |
| Tailscale integration | [x] Supported | Zero-trust remote access |
| Firewall-friendly | [x] By design | Outbound HTTPS only |
Edge Agent Security
The edge agent runs in your infrastructure. Here’s how we secure it:
Container Security
# Recommended security context for Kubernetes
securityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
Minimal Permissions
The edge agent needs:
- Read access to log files you configure
- Network access to LogFleet API (outbound HTTPS)
- Disk access for local buffering (configurable path)
It does not need:
- Root privileges
- Inbound network access
- Access to other containers or host resources
API Key Scoping
Edge agent API keys are scoped to specific permissions:
{
"permissions": [
"edge:register", // Register this agent
"edge:heartbeat", // Send heartbeats
"edge:metrics", // Push metrics
"edge:stream" // Stream logs (when enabled)
]
}
Create separate API keys for each edge location. Revoke compromised keys without affecting other locations.
Infrastructure
| Component | Provider | Security |
|---|
| API hosting | AWS | VPC, security groups, WAF |
| Database | PostgreSQL | Encrypted, private subnet |
| Secrets | AWS Secrets Manager | Automatic rotation |
| Monitoring | Internal | No third-party analytics |
Data Handling
- Metrics only: Cloud stores aggregated metrics, not raw logs
- Retention: Configurable per organization
- Deletion: Full data deletion available on request
- Backups: Encrypted, same-region storage
What We’re Working On
These features are planned but not yet implemented. We’re listing them for transparency, not as promises.
Planned Security Enhancements
| Feature | Priority | Target |
|---|
| SOC 2 Type II | High | 2025 |
| SSO/SAML integration | High | Q2 2025 |
| Audit logging | Medium | Q1 2025 |
| Role-based access control | Medium | Q2 2025 |
| IP allowlisting | Low | Q3 2025 |
| Hardware key support (WebAuthn) | Low | Q3 2025 |
Compliance Roadmap
| Standard | Status | Notes |
|---|
| GDPR | [x] Architecture supports | Data residency by design |
| SOC 2 | [o] In progress | Type I planned 2025 |
| HIPAA | [~] Planned | BAA available on Enterprise |
| ISO 27001 | [~] Future | Post-SOC 2 |
Security Best Practices
For Edge Deployments
- Use dedicated API keys - One per location, with minimum required permissions
- Enable disk encryption - Protect buffered logs at rest
- Restrict network egress - Only allow traffic to LogFleet API endpoints
- Monitor agent health - Set up alerts for missed heartbeats
- Update regularly - We release security patches as needed
For Cloud Usage
- Use strong passwords - We enforce requirements, but longer is better
- Rotate API keys - Especially for production environments
- Review access regularly - Remove unused accounts
- Monitor unusual activity - Check dashboard for unexpected patterns
Vulnerability Reporting
Found a security issue? We take this seriously.
Email: [email protected]
What to include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Your contact information (optional)
Our commitment:
- Acknowledge within 48 hours
- Provide status update within 7 days
- Credit reporters in our changelog (if desired)
We don’t currently have a formal bug bounty program, but we appreciate and acknowledge responsible disclosure.
Questions?
Security is a journey, not a destination. If you have questions about our security posture or need specific compliance documentation:
