Cloud Services

ModernOps

Audit logs streaming
Published On May 16, 2024 - 1:57 PM

Audit logs streaming

Learn how you can stream audit logs to an external system.
Audit logs are written in a native format and stored internally. Capabilities include the following:
  • Audit logs are written in CADF format defined by Cloud Auditing Data Federation (CADF).
  • A configuration is provided that allows audit logs to either be stored internally or be saved to a disk (file system). If this configuration is set, the audit logs will be pushed to the disk in the configured location.
If audit logs are stored to a file system, the user interface (UI) for displaying audit logs is not supported within the Kydryl Platform. There is no change to the existing functionality.
The configuration settings may not be available via the UI for your release.
  1. Enable the streaming in DevOps.
    a. Deploy using the K-8 Templates.
    • In
      Devops-core config/secrets.json
      , set the value of the following keys to true:
      • IS_AUDIT_STREAM
        : true
      • IS_ICP
        : true
    b. Deploy using Helm.
    • In
      Devops-core charts/stable/ibm-cloud-mgmt-platform-prod/values.yaml
      , set the value of the following keys to true:
    • isAuditStream
      : true
    • In ICP environments, a new key called isIcp is pushed into the values.yaml with values set to true.
    • In helm deployments, audit streaming is enabled only if both of the above flags/keys are equal to true.
  2. Configure the AuditLog Streaming Location and File Name.
    a. Use the following API to set the configurations.
    API → POST https://{Your gateway}/core/portalpreferences/v1/configvalues PAYLOAD: { "configurationkey": "mcmpCustomization", "configurationvalue": { "auditConfig": { "auditlogLocation": "test/ibm", "auditlogFileName": "audit_test" } }, "responsetype": "application/json", "decode": false }
    b. If you do not set the above configuration, the default location for storing the audit log streams is
    /var/log/audit
    and the default file name will be
    audit.log
    .
    c. If you provide the location in the configurations, the path that you provided will be appended to
    /var/log/audit
    and the name that is given in the configuration will be used to stream the audit logs. Example: If you provide the location
    /test/ibm
    , your effective path will be
    /var/log/audit/test/ibm
    . You can find your audit log file in this path inside the container.
Do you have two minutes for a quick survey?
Take Survey