Configuring IBM Cloud Private to forward audit logs

You can enable audit logging for individual services to forward your audit logs to ELK or to SIEM.

For more information on generating audit logs, see Configuring IBM Cloud Private services to generate audit logs.

Enabling and disabling forwarding for audit logging

By default, forwarding is disabled. Each plug-in has a separate ConfigMap. See the following table for more information about audit logging ConfigMaps:

Table 1. Audit logging ConfigMaps
ConfigMap Description
audit-logging-fluentd-ds-config This ConfigMap is the primary ConfigMap for audit logging. Source plug-ins and output plug-ins are imported to this ConfigMap.
audit-logging-fluentd-ds-source-config Source plug-in ConfigMap
audit-logging-fluentd-ds-elk-config ELK output plug-in ConfigMap
audit-logging-fluentd-ds-remote-syslog-config IBM QRadar output plug-in ConfigMap
audit-logging-fluentd-ds-splunk-hec-config Splunk output ConfigMap

Enable and disable forwarding for audit logging from the management console with following steps:

  1. Log in to your IBM® Cloud Private cluster.

  2. From the navigation menu, click Configuration > ConfigMap.

  3. Select the audit-logging-fluentd-ds-config ConfigMap.

  4. Click the Open and close options icon and click Edit.

  5. Enable forwarding for audit logging by setting the ENABLE_AUDIT_LOGGING_FORWARDING parameter value to true.

  6. Disable forwarding for audit logging by setting the ENABLE_AUDIT_LOGGING_FORWARDING parameter value to false. If you disable forwarding, ignore step 7.

  7. Forward your audit logs to ELK or SIEM.

    Note: There is one input plug-in configuration file and multiple output plug-in configuration files in your ConfigMap. Be sure to use only one output plug-in at a time.

    • Edit the audit-logging-fluentd-ds-config file. Uncomment @include /fluentd/etc/elk.conf from the fluent.conf parameter to forward to ELK. You must keep other output plug-ins commented. Note: Ensure that the IBM Cloud Private logging service is deployed.

    • Edit the audit-logging-fluentd-ds-config file to forward audit logs to IBM QRadar with SIEM by uncommenting @include /fluentd/etc/remoteSyslog.conf. You must keep other output plug-ins commented.

    • Edit the audit-logging-fluentd-ds-config file to forward to Splunk by uncommenting @include /fluentd/etc/splunkHEC.conf. You must keep other output plug-ins commented.

      • Edit the audit-logging-fluentd-ds-splunk-hec-config and add the following information for Splunk: Splunk server host name, port number, and HEC token. For more information to update the audit-logging-fluentd-ds and audit-logging-fluentd-ds-splunk-hec-config files, see Integrating IBM Cloud Private with Splunk.

  8. Click Submit

  9. Remove all pods of the audit-logging-fluentd-ds Daemonset. Your pods are recreated automatically.

    • Remove the pods from the management console:

      1. Log in to your IBM Cloud Private cluster.
      2. From the navigation menu, click Workload > Daemonsets.
      3. Locate and click the audit-logging-fluentd-ds Daemonset.
      4. From the Pods section, delete each pod by clicking the Options icon.
      5. Click Remove.

    • Remove the pods with the Kubernetes CLI by running the following command:

       kubectl get pod -n kube-system -o wide | grep audit-logging-fluentd-ds- | awk '{print $1}' | xargs kubectl delete pod -n kube-system

Note:

Fluentd has an input plug-in that reads audit logs from journald. The plug-in is included in the audit-logging-fluentd-ds-source-config ConfigMap file.

The default path of journald is /run/log/journal. You can set a different path during cluster installation. For example, /var/log/journal. If you change the default journald path, you must update the path in following files: