Exporting Cloud Pak for Data audit records to Splunk

Important: IBM Cloud Pak® for Data Version 4.8 will reach end of support (EOS) on 31 July, 2025. For more information, see the Discontinuance of service announcement for IBM Cloud Pak for Data Version 4.X.

Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.8 reaches end of support. For more information, see Upgrading from IBM Cloud Pak for Data Version 4.8 to IBM Software Hub Version 5.1.

You can export your Cloud Pak for Data audit records to Splunk.

Who needs to complete this task?
To complete this task, you must have one of the following roles:
  • Cluster administrator
  • Instance administrator
When do you need to complete this task?
Complete this task if you want to export Cloud Pak for Data audit records to Splunk.

Before you begin

Best practice: You can run many of the commands in this task exactly as written if you set up environment variables for your installation. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

Cloud Pak for Data uses the Splunk HTTP Event Collector Output Plugin to integrate with Splunk.

To export your audit records to Splunk, complete the following tasks:

  1. Add an HTTP event collector for Cloud Pak for Data to Splunk.
  2. Configure Cloud Pak for Data to send events to Splunk.

    Choose the appropriate option for your environment:

Add an HTTP event collector for Cloud Pak for Data to Splunk

From the Splunk dashboard:

  1. Click Settings > Data inputs.
  2. In the HTTP Event Collector section, click Add new.
  3. Give the Cloud Pak for Data instance a unique name.
  4. In the Source name override enter a name for a source to be assigned to events that this endpoint generates.
  5. In the Description enter a description for the input.
  6. If you want to enable indexer acknowledgment for this token, select Enable indexer acknowledgment.
  7. Configure the source type by creating a specific Cloud Pak for Data source, or by using the automatic detecting option, or by selecting generic JSON source type.
  8. Configure App Context and Indexes for the specific use case.
  9. Click Review and then click Submit.
  10. Save the Generated Token Value so that it can be used in a later step.

Edit the zen-audit-config ConfigMap

You can edit the existing zen-audit-config ConfigMap to connect to your Splunk environment.

From the Cloud Pak for Data cluster:

  1. Change to the project where Cloud Pak for Data is installed:
    oc project ${PROJECT_CPD_INST_OPERANDS}
  2. Make a backup of the current zen-audit-config ConfigMap.
  3. Edit the zen-audit-config ConfigMap:
    oc edit configmap zen-audit-config
  4. Update the ConfigMap:
    1. Add the <store> configuration to the ConfigMap.
      Tip: The zen-audit-config ConfigMap includes a sample Splunk configuration, which is commented out by default.

      The <store> configuration must be inside the <match export export.** records records.** syslog syslog.**> tag and after the @type copy tag.

      Ensure that the entry is indented correctly.

    2. Replace the following variables with the appropriate values for your environment:
      <SPLUNK-HOST>
      Replace <SPLUNK-HOST> with the address of the Splunk host.
      <SPLUNK-PORT>
      Replace <SPLUNK-PORT> with the port on the Splunk server. The default port is 8088.
      <SPLUNK-TOKEN>
      Replace <SPLUNK-TOKEN> with the token that you generated on the Splunk server.
    3. If you want to use TLS to connect to Splunk, replace <XXXXXXXXX> with the contents of the Splunk TLS certificate.

    The contents of the ConfigMap depend on whether you want to use TLS:

    ConfigMap for connecting to Splunk using TLS (recommended)
    Important: If you want to use TLS to connect to Splunk, see SSL parameters in the fluent-plugin-splunk-hec Readme on GitHub to determine which parameters you need to specify in the <store> section of the ConfigMap.
    apiVersion: v1
metadata:
  name: zen-audit-config
data:
  ca.pem: |
    -----BEGIN CERTIFICATE-----
     <XXXXXXXXX>
    -----END CERTIFICATE-----
  fluent.conf: |-
    <match export export.** records records.** syslog syslog.**> 
      @type copy 
      <store>    
        @type splunk_hec
        hec_host <SPLUNK-HOST>    # Replace <SPLUNK-HOST> with the address of the Splunk host
        hec_port <SPLUNK-PORT>    # Replace <SPLUNK-PORT>. The default port is 8088
        hec_token <SPLUNK-TOKEN>  # Replace <SPLUNK-TOKEN> with the token you generated 
        flush_interval 10s                    # Recommended value
        # Add SSL parameters here
        ca_file /fluentd/config/ca.pem
      </store>
    </match>
    ConfigMap for connecting to Splunk without TLS 
    apiVersion: v1
metadata:
  name: zen-audit-config
data:
  fluent.conf: |-
    <match export export.** records records.** syslog syslog.**> 
      @type copy 
      <store>    
        @type splunk_hec
        protocol http
        hec_host <SPLUNK-HOST>    # Replace <SPLUNK-HOST> with the address of the Splunk host
        hec_port <SPLUNK-PORT>    # Replace <SPLUNK-PORT>. The default port is 8088
        hec_token <SPLUNK-TOKEN>  # Replace <SPLUNK-TOKEN> with the token you generated 
        flush_interval 10s                    # Recommended value
      </store>
    </match>
  5. Save the changes to the zen-audit-config ConfigMap. For example, if you are using vi, hit esc and enter :wq.
  6. Delete all zen-audit pods to force a restart to pick up changes:
    1. Get the list of zen-audit pods:
      oc get pods | grep zen-audit
    2. Delete the zen-audit pods.
      Tip: If there are multiple zen-audit pods, delete each pod individually to avoid a forced restart.
      oc delete pods zen-audit-xxxxxx-xxx

      Replace zen-audit-xxxxxx-xxx with the ID returned by the oc get pods command.

Create a custom ConfigMap

You can create a custom ConfigMap to connect to your Splunk environment.

From the Cloud Pak for Data cluster:

  1. Change to the project where Cloud Pak for Data is installed:
    oc project ${PROJECT_CPD_INST_OPERANDS}
  2. Set the following environment variables:
    1. Set CONFIGMAP_NAME to the name that you want to use for the custom ConfigMap:
      export CONFIGMAP_NAME=<configmap-name>
    2. If you want to use TLS, set TLS_CERT to the TLS certificate:
      export TLS_CERT=<certificate>
    3. Set SPLUNK-HOST to the address of the Splunk server:
      export SPLUNK-HOST=<hostname>
    4. Set SPLUNK-PORT to the port on the Splunk server. The default port is 8088.
      export SPLUNK-PORT=<port>
    5. Set SPLUNK-TOKEN to the token that you generated on the Splunk server:
      export SPLUNK-TOKEN=<token>
  3. Create the ConfigMap:
    ConfigMap for connecting to Splunk using TLS (recommended)
    Important: If you want to use TLS to connect to Splunk, see SSL parameters in the fluent-plugin-splunk-hec Readme on GitHub to determine which parameters you need to specify in the <store> section of the ConfigMap.
    cat <<EOF | oc apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: ${CONFIGMAP_NAME}
  namespace: ${PROJECT_CPD_INST_OPERANDS}
data:
  ca.pem: |
    -----BEGIN CERTIFICATE-----
     ${TLS_CERT}
    -----END CERTIFICATE-----
  fluent.conf: |-
    <match export export.** records records.** syslog syslog.**> 
      @type copy 
      <store>    
        @type splunk_hec
        hec_host ${SPLUNK-HOST}
        hec_port ${SPLUNK-PORT}
        hec_token ${SPLUNK-TOKEN}
        flush_interval 10s                    # Recommended value
        # Add SSL parameters here
        ca_file /fluentd/config/ca.pem
      </store>
    </match>
EOF
    ConfigMap for connecting to Splunk without TLS 
    cat <<EOF | oc apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: ${CONFIGMAP_NAME}
  namespace: ${PROJECT_CPD_INST_OPERANDS}
data:
  fluent.conf: |-
    <match export export.** records records.** syslog syslog.**> 
      @type copy 
      <store>    
        @type splunk_hec
        protocol http
        hec_host ${SPLUNK-HOST}
        hec_port ${SPLUNK-PORT}
        hec_token ${SPLUNK-TOKEN}
        flush_interval 10s                    # Recommended value
      </store>
    </match>
EOF
  4. Patch the zenService custom resource to specify the custom ConfigMap:
    oc patch zenService lite-cr \
-n ${PROJECT_CPD_INST_OPERANDS} \
--type='json' \
--patch '[{"op": "replace", "path":"/spec/zen_audit_config_custom", "value": '${CONFIGMAP_NAME}' }]'
  5. Delete all zen-audit pods to force a restart to pick up changes:
    1. Get the list of zen-audit pods:
      oc get pods | grep zen-audit
    2. Delete the zen-audit pods.
      Tip: If there are multiple zen-audit pods, delete each pod individually to avoid a forced restart.
      oc delete pods zen-audit-xxxxxx-xxx

      Replace zen-audit-xxxxxx-xxx with the ID returned by the oc get pods command.

Results

After the changes are applied, new audit events from Cloud Pak for Data are sent to Splunk.

For more information about the audit events, see:

What to do next

If you use the Identity Management Service, complete Enabling auditing for the Identity Management Service.