We are reviewing Proxmox VE (PVE) and PBS from an audit and security monitoring perspective, specifically around logging and alerting for administrative changes (users, roles, ACLs, permissions).
Our requirement is to detect and alert when a user/role/permission/ACL is added, modified, or removed.
What we’ve tested:
Syslog / rsyslog forwarding
Linux auditd
Graylog ingestion with partial forwarding to Wazuh
Wazuh agents running on all PVE nodes
What we see consistently:
SSH authentication events
PAM authentication events
PVE GUI login success/failure
What we do not see:
User creation/deletion
Role or permission changes
ACL modifications
Policy-level changes
These events also do not appear in the PVE UI (Tasks, System Log, or Cluster Log) from what we can see.
Tested versions:
8.4.11
9.1
At this point we are trying to determine whether:
We are missing a supported/native audit mechanism for these events, or
Proxmox does not currently emit auditable events for administrative changes
Before resorting to filesystem-level auditing of /etc/pve, we’d like confirmation on current capabilities or roadmap plans in this area. Feedback or recommended approaches welcome.
Are we missing something?
Our requirement is to detect and alert when a user/role/permission/ACL is added, modified, or removed.
What we’ve tested:
Syslog / rsyslog forwarding
Linux auditd
Graylog ingestion with partial forwarding to Wazuh
Wazuh agents running on all PVE nodes
What we see consistently:
SSH authentication events
PAM authentication events
PVE GUI login success/failure
What we do not see:
User creation/deletion
Role or permission changes
ACL modifications
Policy-level changes
These events also do not appear in the PVE UI (Tasks, System Log, or Cluster Log) from what we can see.
Tested versions:
8.4.11
9.1
At this point we are trying to determine whether:
We are missing a supported/native audit mechanism for these events, or
Proxmox does not currently emit auditable events for administrative changes
Before resorting to filesystem-level auditing of /etc/pve, we’d like confirmation on current capabilities or roadmap plans in this area. Feedback or recommended approaches welcome.
Are we missing something?
