Exporting IBM Software Hub audit records to a security information and event management solution

You can configure IBM® Software Hub to forward audit records to a security information and event management (SIEM) solution, such as Splunk, Mezmo, QRadar, or Apache Kafka.

Overview

The Audit Logging Service is automatically installed when you install an instance of IBM Software Hub. However, you must enable and configure the Audit Logging Service if you want IBM Software Hub to collect and forward Cloud Auditing Data Federation (CADF) compliant audit records from the services that are associated with your IBM Software Hub deployment.

Tip: For details on the type of information that is included in the audit records, see Sample Cloud Pak for Data CADF Audit Records.

The Audit Logging Service is scoped to the project where the IBM Software Hub control plane is installed. If you install multiple instances of IBM Software Hub on the same cluster, each instance of the Audit Logging Service functions independently.

The CADF audit records for each instance are isolated from the other instances, and the records for each instance can be forwarded to different SIEM systems.

You can connect each instance of IBM Software Hub to one or more SIEM systems.

The Audit Logging Service uses Fluentd output plugins to forward and export audit records. When you enable the Audit Logging Service, you specify the external SIEM system that you want to forward the audit records to. The Audit Logging Service explicitly supports the following SIEM solutions:
  • Splunk
  • Mezmo
  • QRadar
  • Apache Kafka

You might be able to use another SIEM solution if it supports the Fluentd output plugins. Two of the most commonly used are the TCP/IP @type forward and RSYSLOG @type remote_syslog plugins.

You can also optionally forward the records to the zen-audit pod stdout log. The stdout log is not recommended for long-term audit record management. This configuration helps you confirm that all of the records are forwarded to your SIEM system.

Support for audit logging in services

Auditing logging is not supported by all components and services. For more information, see Services that support audit logging.

For information about the audit events that components and services generate, see Audit events.

Connecting to supported SIEM solutions

The method for connecting to your SIEM solution depends on the version of IBM Software Hub that you are running:

5.1.1 and later IBM Software Hub Version 5.1.1 and later
If you are running IBM Software Hub Version 5.1.1 and later, the configuration information for your SIEM is stored in a secret named zen-audit-secret.
5.1.0 IBM Software Hub Version 5.1.0
If you are running IBM Software Hub Version 5.1.0, the configuration information for your SIEM is stored in a ConfigMap.

You have two options for connecting to your SIEM solutions from IBM Software Hub:

Option Benefits Drawbacks
Manually edit the zen-audit-config ConfigMap This option offers a straightforward method to connect to your SIEM solutions.
  • If you change the configuration, you overwrite the current configuration.
  • If you want to use the same configuration across multiple deployments, you must specify the same information multiple times.
Create a custom ConfigMap and specify it in the ZenService custom resource Depending on your needs, this option enables you to:
  • Easily re-use the same configuration across multiple IBM Software Hub deployments.
  • Create and maintain one or more configurations in different ConfigMap so that you can change your configuration without loosing your current configuration.
  • If you create more than one ConfigMap, you must keep track of the ConfigMap that you create.
  • This option is not supported on remote physical locations.

Follow the appropriate steps to connect to your SIEM system:

Remember: You can connect each instance of IBM Software Hub to one or more SIEM systems. If you connect to multiple SIEM systems, you must use the same method to connect to each SIEM system.