Auditing Secure Tunnel

You can check Secure Tunnel configuration changes, such as tunnel connection or application mapping configuration changes for auditing.

How to audit Secure Tunnel

Go to Administration > Secure Tunnel on IBM Cloud Pak for Watson AIOps console. You see the Audit operations and Audit traffic tabs.

  1. In the Audit operations tab, you can see the operation logs, such as deleting a connection or creating a connection. You can filter the logs by changing the start time and end time in the Start time and End time fields. Note: You can click the Operation details column to see more about the tunnel operation.

  2. In the Audit traffic tab, the tunnel open/close connection events are listed, and a total send/receive data amount for the specific connection is listed in the close event. You can filter the logs by changing the start time and end time in the Start time and End time fields.

Configuring Secure Tunnel audit logs

Secure Tunnel can send audit logs to its container log, a MongoDB database, and a remote syslog server. By default, Secure Tunnel sends audit logs to its container log, and thus you can't see audit logs on the Secure Tunnel console. To check audit logs on the Secure Tunnel console, you need to send audit logs to MongoDB. To check audit logs on the query user interface of a specific syslog, you need to send audit logs to the remote syslog server.

Configuring with the operator UI when creating a Secure Tunnel installation

  1. When you create the Secure Tunnel instance from your OpenShift console, click Operators > Installed Operators.

  2. From the Project dropdown menu, select the project that you want to create the Secure Tunnel instance in. Use the project that you created earlier in Create a Secure Tunnel project (namespace).

  3. Select IBM Secure Tunnel operator.

  4. Click Create Installation on the Tunnel box. The default Form View is displayed. Edit the Audit logs to configure the audit log receivers of the Secure Tunnel:

  5. Show audit logs in the container log: If the Secure Tunnel should send audit logs to its container log(the pod terminal).

  6. Audit Receiver: to add a MongoDB audit log receiver or a Syslog audit log receiver

    • Click the MongoDB receiver > Add MongoDB receiver button. To add a MongoDB audit log receiver > click MongoDB Information. Enter the following values:

      • Receiver name: The name of the MongoDB receiver, it's the unique name of the audit log receiver. for example: mongodb-receiver-1.

      • TLS Secret: if you want the MongoDB to support TLS, you should create a TLS Kubernetes secret for the MongoDB TLS certification, and enter the k8s secret name to here. the Kubernetes secret should be in the Secure Tunnel namespace and contain the "ca.crt", "tls.crt" and "tls.key" of the mongoDB TLS. TLS secret example:

        kind: Secret
apiVersion: v1
metadata:
name: mongodb-tls-certificate
namespace: tunnel-stand-alone
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDVENDQWZHZ0F3SUJBZ0lRTjRtVDZOTFgxZjF1K0pSVFR4LzRoakFOQmdrcWhraUc5dzBCQVFzRkFEQWcKTVI0d0hBWURWUVFERXhWMGRXNXVaV3d0Y21WaFpHbHVaWE56TFdObGNuUXdIaGNOTWpJd01qRXlNVFV4TURReQpXaGNOTXpJd01qRXdNVFV4TURReVdqQWdNUjR3SEFZRFZRUURFeFYwZFc1dVpXd3RjbVZoWkdsdVpYTnpMV05sCmNuUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEUFA0MHQ4WG5aWmZNTUdzVWoKZ0FlNkpJUE90OXlWVVV1Y2ppM3dHZVJwaUszVDdBY2EvQzdTUHprenE4YkRyZnVwMUZDc0hYTFo0RmFSeS9BVQpTV0RtQ3NPZXpNYzFjNkYyUkJ0Y1djOGF4VDRlVEI2VE9DeTQ3cFdaOVJNVjJnQUNJQktDc1JWZHIzZ1JQY1F6CmtCbWptSERFRTVtOUlrNVFSYktFMWl2SDV0NjhXMHFaNEZWUDNuQS9WSXhBaXlHNDczYVFFbHg5NFc1OFV4a24KRkNOSzdEZjkycE1GUS95QmdlMEkvb1VUWUpicHdQMDBMTE1XTTgyalJ1OFJ6Q0F6SUhaNXVTUXp0UGhYQWZQVQpwS3NtRVRNVms1a2MvQnN1VW9QWDhGeFl1di85RHNiOEw1K21sSFJZcFRNUVhhWWs0cG1nODdYSFF5RDdnb1V1CnJmejdBZ01CQUFHalB6QTlNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01Cb0cKQTFVZEVRUVRNQkdDQ1d4dlkyRnNhRzl6ZEljRWZ3QUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQlBxbwpuL01NODV6QnBBZ2poUTVIYkdOU0l2MVBOWkw0MmJ3blhkbVRFQVR3WHFQbzlUWmIvd0htS3hUUFJ4TjhDLzRvCmFxaEdkMmRPb21zTjJ1SStNTE5JMjZVak1VNWFxVS8zajdMYzV1QmJQVHRXVURnZXE2aTFUdXVDNncrd1hTRjYKRlV4YTFVYjF2dWZkZzl3OHREWlF2dWlnQlkwaCtYWnNjckFQVVdzNGZQMnpTQytYSElSSCtENXltR1NlWk4zeQpoam9LdGVCQTFVNlpZemtWVDVHV1QwK1p0MVBXUS8wQmQ4RUxzSHRjOHkrVGZVckZvaUkxNlRWYm8vUDlJNlhVCnBhaXU2SFJFUFh6MFdISnppSUZyRUE2dFZIdmJXMzdFMnJmR0ZSUWxCSnM1T0RyWTJHQndKM0RCd3MzbGN4cWUKZURyQTNzaWRZWE9TSThvMFRRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDVENDQWZHZ0F3SUJBZ0lRTjRtVDZOTFgxZjF1K0pSVFR4LzRoakFOQmdrcWhraUc5dzBCQVFzRkFEQWcKTVI0d0hBWURWUVFERXhWMGRXNXVaV3d0Y21WaFpHbHVaWE56TFdObGNuUXdIaGNOTWpJd01qRXlNVFV4TURReQpXaGNOTXpJd01qRXdNVFV4TURReVdqQWdNUjR3SEFZRFZRUURFeFYwZFc1dVpXd3RjbVZoWkdsdVpYTnpMV05sCmNuUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEUFA0MHQ4WG5aWmZNTUdzVWoKZ0FlNkpJUE90OXlWVVV1Y2ppM3dHZVJwaUszVDdBY2EvQzdTUHprenE4YkRyZnVwMUZDc0hYTFo0RmFSeS9BVQpTV0RtQ3NPZXpNYzFjNkYyUkJ0Y1djOGF4VDRlVEI2VE9DeTQ3cFdaOVJNVjJnQUNJQktDc1JWZHIzZ1JQY1F6CmtCbWptSERFRTVtOUlrNVFSYktFMWl2SDV0NjhXMHFaNEZWUDNuQS9WSXhBaXlHNDczYVFFbHg5NFc1OFV4a24KRkNOSzdEZjkycE1GUS95QmdlMEkvb1VUWUpicHdQMDBMTE1XTTgyalJ1OFJ6Q0F6SUhaNXVTUXp0UGhYQWZQVQpwS3NtRVRNVms1a2MvQnN1VW9QWDhGeFl1di85RHNiOEw1K21sSFJZcFRNUVhhWWs0cG1nODdYSFF5RDdnb1V1CnJmejdBZ01CQUFHalB6QTlNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01Cb0cKQTFVZEVRUVRNQkdDQ1d4dlkyRnNhRzl6ZEljRWZ3QUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQlBxbwpuL01NODV6QnBBZ2poUTVIYkdOU0l2MVBOWkw0MmJ3blhkbVRFQVR3WHFQbzlUWmIvd0htS3hUUFJ4TjhDLzRvCmFxaEdkMmRPb21zTjJ1SStNTE5JMjZVak1VNWFxVS8zajdMYzV1QmJQVHRXVURnZXE2aTFUdXVDNncrd1hTRjYKRlV4YTFVYjF2dWZkZzl3OHREWlF2dWlnQlkwaCtYWnNjckFQVVdzNGZQMnpTQytYSElSSCtENXltR1NlWk4zeQpoam9LdGVCQTFVNlpZemtWVDVHV1QwK1p0MVBXUS8wQmQ4RUxzSHRjOHkrVGZVckZvaUkxNlRWYm8vUDlJNlhVCnBhaXU2SFJFUFh6MFdISnppSUZyRUE2dFZIdmJXMzdFMnJmR0ZSUWxCSnM1T0RyWTJHQndKM0RCd3MzbGN4cWUKZURyQTNzaWRZWE9TSThvMFRRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBenorTkxmRjUyV1h6REJyRkk0QUh1aVNEenJmY2xWRkxuSTR0OEJua2FZaXQwK3dICkd2d3Uwajg1TTZ2R3c2MzdxZFJRckIxeTJlQldrY3Z3RkVsZzVnckRuc3pITlhPaGRrUWJYRm5QR3NVK0hrd2UKa3pnc3VPNlZtZlVURmRvQUFpQVNnckVWWGE5NEVUM0VNNUFabzVod3hCT1p2U0pPVUVXeWhOWXJ4K2JldkZ0SwptZUJWVDk1d1AxU01RSXNodU85MmtCSmNmZUZ1ZkZNWkp4UWpTdXczL2RxVEJVUDhnWUh0Q1A2RkUyQ1c2Y0Q5Ck5DeXpGalBObzBidkVjd2dNeUIyZWJra003VDRWd0h6MUtTckpoRXpGWk9aSFB3YkxsS0QxL0JjV0xyLy9RN0cKL0MrZnBwUjBXS1V6RUYybUpPS1pvUE8xeDBNZys0S0ZMcTM4K3dJREFRQUJBb0lCQVFDYmZ6OWFQVmdET1c4RwpvZjlRQjN2RXVpajdMUkNnS0FMblQvWS9zKzJoRVIvN1paaGZNdCtlZURsZS8zOSt5a2VNd1BSV2J6SUJMMFZFCjF4TW01WGVDb29qcjJSR09sVmVMK01YZW9MTzNqazV4UlFPYnlnWWtLejZyNlNtTXQ2aFI3K1p6a0pKTFhLQmwKcjBaS3VjL0M0MW1ZaEd4UmNDLzZJcEV6QWM2UGlOcVZaVmJEdEl1SzdMNzBsbzRlQ09VSzl6WUNJcG9IcUc0MgprSjIyczIva2ppVkRiTmwyRVk0bVkrRm1RemgxMVEyaE5VZk5FS2YwZzk0b1pMdWdsWWVRLzhzV1h5UjExbWQ3CjgwbEF0eUYzWWJEaVNWOWFWMHNsUUhuZjYvSmFFcWxySWxTa2M5OVdRN1ZpQUFyaEpSVlZjR29xQ0d0a3EyOFIKd3ZqenJrbWhBb0dCQVB0a09VblhST093VkRWdWp0aUl6RDFnZG9iSVptclNjZm5CZXlRUlFmRExJRXlZcVI3OQpzZ3VsMTVER1lBQXJySnR5NXRiUGdUZ0JLclUxeS93aDExd2I2NW5wT3FaVmp6MDZzMXA5eFpIb3o0RVBYNmZZCkEranN3ZmRVMDk1b3BtMnpxSy9DME01WlhvTEVEcTRsV0xVL21kb203WWo2T21FdzlXUm1zTVBuQW9HQkFOTU0KS2dVTGIzSGdPSERVQ0s1M2daRkwrZVpoaGNWdENBSllHU05CN0JHdDVHWnJuZmVMVURJVThhL0hEK1YyNkdGago0dWwzNDRrM1ZjSTJITnkxMlViQTVBb3poVFFQTWlLNUNwUW5hTjFRSmk4ejNDMlBFa2c1TjBHbEM5eWpoZHgvClJpV0VLNncrT01jV3ZHVWlGSmFncUR0a2hQaGJ0aDRVZUFvRzBsdk5Bb0dBRXhWZG4vUmVmMlpRVGlvUlgvQ3EKaUhJOUxTZ2pWaktaZ2xza3JPMCtjemdJUUtoS0ZsY3QzK0o4QmJwNWFTbm5sWGxZZXJBUDRCOStqWGtDL2lYWApnbCtBT0JQVFp2TVJ4NVVnTGx0ajF4cTBQZGpiNnhMajRSZXY5Y1dUdTh0Mzd0WDNsVGdWdjhSYS8xUkF4UW1DCnZXZVJsMVRqTFVYSmpyMDNzNkowQXJzQ2dZQmkybHJBUENmNk5lVVo3Q2NZMlQ4bU9Ha1lJT3ZRbW81YTByc0wKaWJBeVk3b013ekdkcG5KczB1U1Z5ZTdITTFnTGJnYjJCa0xjbmIrY2xVNFZqMVB6VVJ3L0x2eWdjdEd2OCs1aAprTWdNaWFNcER1aDlxbnNNdTBnSGhuQTA2NThpdGJhOGtka0c5Nm9PanJhMXhDM1NrL1BZeGUrR2lTYVhsa3pYCm5YUmdyUUtCZ0VmSkZEM0p1N1lHT3doUkRER2dOMUdRWkd0TFFzbFdUUnBYWlRtWDFiT016VWxSeUIzaUdvdHoKalJHbWdYVE9lQzJIK3dBczQzdWJHbklrbThrVk1OaWtXSlI0a3VOeDViOEFQUkc1R2l1MysvKzJHU0NuZ1NGUAp6TVU1dWpEN2lNQklBL0VGMDhMSzVJY2I5bTJJYVo0ZmJqNmdYZU5oeTdNdHh2VDR0eGdDCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
type: kubernetes.io/tls

      • Database name: The database name of the MongoDB receiver, for example: mongodb-audit-log-receiver-1

      • Adress: The MongoDB receiver address. For example: <IP or hostname>:27017

      • MongoDB log in Username, Password Secret:

        • By default, MongoDB does not require a username and password to access, but it can be enabled by configuring the authentication. If the MongoDB has a username and password, you should create a Kubernetes secret that contains user: <MongoDB username> and password: <MongoDB password> in the Secure Tunnel namespace, then enter the secret name here.

          Kubernetes secret example:

          kind: Secret
apiVersion: v1
metadata:
  name: mongodb-credential
  namespace: tunnel-stand-alone
data:
  password: YmJiYg==
  user: YWFhYQ==
type: Opaque
    • Click Syslog receiver > Add Syslog receiver to add a Syslog audit log receiver, Enter the following values:
      • Receiver name: the name of the Syslog receiver. It's a unique name of the audit log receiver. for example: syslog-receiver-1.
      • Address: The syslog server address. for example: <IP or hostname>:5514

Configuring YAML to update the existing Tunnel instance

  1. From the Openshift console, click Operators > Installed Operators.

    • From the Project dropdown menu, select the project that you created the Secure Tunnel instance in.
    • Click the IBM Secure Tunnel > Tunnel tab > click the existing sre-tunnel instance > change to YAML tab.

  2. To make Secure Tunnel send audit logs to its container log, the YAML file that open in the step 1 should be as follows:

    spec:
  ...
  showInContainerLog: true
  ...

  3. To make Secure Tunnel send audit logs to MongoDB, configure the YAML as follows:

    spec:
  ...
  auditReceiver:
    mongoDB:
      - mongoAddress:
          mongoAddress: '<IP or hostname that the MongoDB running in>:27017'
          mongoDatabaseName: secure-tunnel-001
          name: mongodb-audit-log
          passwordSecretName: <The name of the Kubernetes secret that saved the MongoDB username and password>
          tlsSecret: <The name of the Kubernetes secret that saved the SSL certificate of the MongoDB service>
  ...

  4. To make Secure Tunnel send audit logs to a remote syslog server, configure the YAML as follows:

    spec:
  ...
  auditReceiver:
    syslog:
      - name: syslog
        syslogAddress: '<IP or hostname that the Syslog service running in>:5514'
  ...

Tip: It's easier to configure the audit log with the Configuring with the operator UI when create Secure Tunnel Installation method, so you can configure it from there, then switch to the YAML view and obtain the configuration yaml, then update the existing Secure Tunnel instance yaml to configure the audit log.