Exporting Cloud Pak for Data audit records to the cluster
Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.7 reaches end of support. For more information, see Upgrading IBM Software Hub in the IBM Software Hub Version 5.1 documentation.
You can optionally publish the audit logs to the zen-audit pod
stdout logs on the cluster where Cloud Pak for Data is installed.
Before you begin
Ensure that you source the environment variables before you run the commands in this task.
About this task
This method is not recommended for long-term record management. Instead, this method is useful to validate that all of the records that are generated by the Audit Logging Service are sent to your SIEM system.
Choose the appropriate option for your environment:
Edit the zen-audit-config configmap
You can edit the existing zen-audit-config configmap to export the audit logs to
the zen-audit pod stdout logs on the cluster
From the Cloud Pak for Data cluster:
- Change to the project where Cloud Pak for Data is
installed:
oc project ${PROJECT_CPD_INST_OPERANDS} - Make a backup of the current
zen-audit-configconfigmap. - Edit the
zen-audit-configconfig map:oc edit configmap zen-audit-config - Add the
<store>configuration to the configmap.Tip: Thezen-audit-configconfigmap includes a samplestdoutconfiguration, which is commented out by default.The
<store>configuration must be inside the<match export export.** records records.** syslog syslog.**>tag and after the@type copytag.apiVersion: v1 metadata: name: zen-audit-config data: fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type stdout </store> </match> - Save the changes to the
zen-audit-configconfigmap. For example, if you are usingvi, hit esc and enter :wq. - Delete all
zen-auditpods to force a restart to pick up changes:- Get the list of
zen-auditpods:oc get pods | grep zen-audit - Delete the
zen-auditpods.Tip: If there are multiplezen-auditpods, delete each pod individually to avoid a forced restart.oc delete pods zen-audit-xxxxxx-xxxReplace
zen-audit-xxxxxx-xxxwith the ID returned by theoc get podscommand.
- Get the list of
Create a custom configmap
You can create a custom configmap to export your audit records to the zen-audit
pod stdout logs on the cluster:
From the Cloud Pak for Data cluster:
- Change to the project where Cloud Pak for Data is
installed:
oc project ${PROJECT_CPD_INST_OPERANDS} - Set the following environment variables:
- Set
CONFIGMAP_NAMEto the name that you want to use for the custom configmap:export CONFIGMAP_NAME=<configmap-name>
- Set
- Create the configmap:
cat <<EOF | oc apply -f - apiVersion: v1 kind: ConfigMap metadata: name: ${CONFIGMAP_NAME} namespace: ${PROJECT_CPD_INST_OPERANDS} data: fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type stdout </store> </match> EOF - Patch the
zenServicecustom resource to specify the custom configmap:oc patch zenService lite-cr \ -n ${PROJECT_CPD_INST_OPERANDS} \ --type='json' \ --patch '[{"op": "replace", "path":"/spec/zen_audit_config_custom", "value": '${CONFIGMAP_NAME}' }]' - Delete all
zen-auditpods to force a restart to pick up changes:- Get the list of
zen-auditpods:oc get pods | grep zen-audit - Delete the
zen-auditpods.Tip: If there are multiplezen-auditpods, delete each pod individually to avoid a forced restart.oc delete pods zen-audit-xxxxxx-xxxReplace
zen-audit-xxxxxx-xxxwith the ID returned by theoc get podscommand.
- Get the list of
Results
After the changes are applied, new audit events from Cloud Pak for Data are sent to the zen-audit pod
stdout logs.