Configuring the audit settings
Use the Cloud Manager UI or the toolkit CLI to enable auditing and configure settings.
About this task
The audit feature tracks platform-level changes in API Connect through the use of platform APIs, CLI, and Web UI. For information on tracking run-time API execution, see API Analytics.
You can configure audit settings using either the Cloud Manager UI, or the Toolkit CLI.
Using the Cloud Manager UI to configure audit settings
Use the Cloud Manager user interface to enable auditing of customer API calls.
Before you begin
Configure one or more audit endpoints where logging data can be directed, and validate that every endpoint is available by testing the connection as explained in Configuring audit logging to monitor user operations.
About this task
By default, auditing is disabled. If you enable auditing, the API Connect management node emits audit events as messages and sends them to the endpoint for storage.
Procedure
Results
With the microservices nature of API Connect, any changes to the audit settings can take up to five minutes to be fully honored by all of the microservices supporting it.
What to do next
If you suspect that audit logging messages are not being received by the endpoint, see Verifying that the endpoint is receiving audit logging messages for information on validating the connection.
Using the CLI to configure audit settings
Use the IBM API Connect toolkit CLI to enable auditing of API calls.
Before you begin
Configure one or more audit endpoints where logging data can be directed, and validate that every endpoint is available by testing the connection as explained in Configuring audit logging to monitor user operations.
About this task
By default, auditing is disabled. If you enable auditing, the API Connect management node emits audit events as messages and sends them to the endpoint for storage.
audit_setting
options to enable auditing with the CLI toolkit: enable
- Boolean, defaults tofalse
(no audit). Set totrue
if you want to enable auditing.mode
- Enumerated, defaults tonon_block
. The audit mode determines how audit requests are timed when they are sent to the endpoint:non_block
- Default value, offers the best performance. Each request is passed immediately without waiting for a response to the previous request. This is susceptible to errors if a request is dependent on the results of an earlier request whose response is not received before the new request is sent.block
- If you select this mode, expect a degradation in performance. Each request is allowed to finish execution before the next request is sent. This mode results in fewer errors when requests are dependent on the responses of earlier operations, but the delayed requests slow the network.Note: Block mode is only applied to HTTP endpoints and is ignored for Syslog endpoints.
audit_reads
- Use this setting to enable auditing of read operations:enable
- Boolean, defaults tofalse
and no audit events are sent to the endpoint for read operations. Set totrue
if you want to enable audit logging for read operations.response_data_to_http_endpoints
- Configure additional settings for HTTP endpoints only (the settings do not apply to Syslog endpoints).enable
- Boolean, defaults tofalse
and audit events for GET operations are sent to the HTTP endpoint with no response data in the event. Set totrue
if you want to include the response data.Attention: If you choose to include the response data, be aware that the response might return large payloads, and might contain sensitive information.list_results_limit
- Integer, must be 0 or larger. Use this setting to specify the maximum number of results ofGET list
operations to include in the audit message (default is 0 results).If
audit_reads
is enabled, then the audit message for aGET
of a single object (for example,GET /orgs/admin
) always includes all of the properties of the response object.If the
list_results_limit
is set to 0, then the audit message for aGET
to list objects (for example,GET /orgs
) does not include any objects from the GET response. If you set thelist_results_limit
to a value greater than 0, then the audit message includes all properties from the firstlist_results_limit
number of objects from theGET /orgs
response.
endpoints
- Array of strings. You must specify at least one endpoint where the audit logging messages are sent. Endpoints can be of the following types: HTTP, Syslog UDP, Syslog TCP, or Syslog TLS.For HTTP and Syslog TLS endpoints, you can optionally include a TLS client profile URL. For HTTP endpoints, you can additionally include one or more optional headers. For example, if the endpoint requires an authorization header, you can include it in the endpoint setting.
endpoint_type
- String. Required. Allowed values are:http
,syslog_udp
,syslog_tcp
orsyslog_tls
.endpoint
- String. Required, must not be empty or blank. The URL of the server where audit logging messages will be sent. Include the protocol (http://
orsyslog://
) and the port, if applicable. For example,syslog://<hostname>:<port>
.tls_client_profile_url
- String. Optional; supported only for HTTP and Syslog TLS endpoints. The URL of the server where the endpoint's TLS client profile is stored.headers
- String. Optional; supported only for HTTP endpoints. Multiple headers are allowed. For each header, specify the header name and the header value using the format shown in the example.
The endpoint setting can be lengthy, so uploading the settings in a file helps to avoid errors. Format the settings as a .yaml file (you can choose the file name) and upload the file using the toolkit CLI. The following example enables auditing in non-blocking mode with multiple endpoints to demonstrate how the settings should be formatted.
audit_setting:
enabled: true
mode: non_block
audit_reads:
enabled: true
response_data_to_http_endpoints:
enabled: true
list_results_limit: 0
endpoints:
- endpoint_type: syslog_udp
endpoint:
endpoint: syslog://syslog-audit-endpoint.example_1.com:514
- endpoint_type: syslog_tls
endpoint:
endpoint: syslog://syslog-tls-audit-endpoint.example_1.com:1601
tls_client_profile_url: https://security.tls_example.com/api/orgs/d8eac736-b4e2-3aa6-c7ff-978a4cd19d0b/tls-client-profiles/19d0f087-b4e2-3aa6-926b-9f6d51d028c3
- endpoint_type: http
endpoint:
endpoint: https://mutt-audit-endpoint.example_1.com/auditing
- endpoint_type: http
endpoint:
endpoint: https://auditing-endpoint.example_1.com/inputs/64e38c02-acd9-6530-76f8-dd0f336d7b11
tls_client_profile_url: https://security.tls_example.com/api/orgs/d8eac736-b4e2-3aa6-c7ff-978a4cd19d0b/tls-client-profiles/19d0f087-b4e2-3aa6-926b-9f6d51d028c3
headers:
authorization: Basic c3Bvb246c2ltb25rYXRpZXVtYQ==
- endpoint_type: http
endpoint:
endpoint: https://auditing-endpoint.example_2.com/inputs/64e38c02-acd9-6530-76f8-dd0f336d7b11
headers:
authorization: Basic c3Bvb246c2ltb24=
x-header: ForYourEyeOnly
Procedure
Results
With the microservices nature of API Connect, any changes to the audit settings can take up to five minutes to be fully honored by all of the microservices supporting it.
What to do next
If you suspect that audit logging messages are not being received by the endpoint, see Verifying that the endpoint is receiving audit logging messages for information on validating the connection.