Exporting Cloud Pak for Data audit records to LogDNA
Before you begin
Ensure that you source the environment variables before you run the commands in this task.
About this task
Cloud Pak for Data uses the LogDNA Fluentd plugin to integrate with LogDNA.
To export your audit records to LogDNA, complete the following tasks:
- Get the Fluentd configuration snippet to connect to your LogDNA organization.
- Configure Cloud Pak for Data to send events to
LogDNA.
Choose the appropriate option for your environment:
Get the Fluentd configuration snippet to connect to your LogDNA organization
In the LogDNA client:
- On the web client home page, select Fluentd in the Via Platform section.
- Copy or download configuration snippet from the If you use Fluentd
section.
The snippet has the following format:
<match your_match> @type logdna api_key YOUR-APIKEY hostname "#{Socket.gethostname}" # your hostname (required) app my_app # replace with your app name #mac C0:FF:EE:C0:FF:EE # optional mac address #ip 127.0.0.1 # optional ip address </match>
- Edit the snippet:
- Replace the opening and closing
<match>
tags with<store>
tags. - Add the following parameters after the
ip
entry:buffer_chunk_limit 1m # optional: Parameter to improve performance flush_at_shutdown true # optional: Parameter to improve performance
- Remove the
#mac
and#ip
entries from the snippet
The updated snippet should have the resemble the following example:
<store> @type logdna api_key YOUR-APIKEY hostname "#{Socket.gethostname}" # your hostname (required) app my_app # replace with your app name buffer_chunk_limit 1m # optional: Parameter to improve performance flush_at_shutdown true # optional: Parameter to improve performance </store>
- Replace the opening and closing
- Save the updated snippet.
Edit the zen-audit-config
configmap
You can edit the existing zen-audit-config
configmap to connect to your LogDNA environment.
From the Cloud Pak for Data cluster:
- Change to the project where Cloud Pak for Data is
installed:
oc project ${PROJECT_CPD_INSTANCE}
- Make a backup of the current
zen-audit-config
configmap. - Edit the
zen-audit-config
config map:oc edit configmap zen-audit-config
- Update the configmap:
- Add the
<store>
configuration to the configmap.Tip: Thezen-audit-config
configmap includes a sample LogDNA configuration, which is commented out by default.The
<store>
configuration must be inside the<match export export.** records records.** syslog syslog.**>
tag and after the@type copy
tag.Ensure that the entry is indented correctly.
- Replace the following variables with the appropriate values for your environment:
- <CPD-HOSTNAME>
- Replace
<CPD-HOSTNAME>
with the hostname of the Cloud Pak for Data server.This value appears in the records that are sent to LogDNA. This information helps you determine which Cloud Pak for Data instance the audit records are coming from.
- <ZEN-AUDIT>
- Replace
<ZEN-AUDIT>
with the name that you use for Cloud Pak for Data.This value appears in the records that are sent to LogDNA. This information helps you understand which application the audit records are coming from.
- If you want to use TLS to connect to LogDNA, replace
<XXXXXXXXX>
with the contents of the LogDNA TLS certificate.
The contents of the configmap depend on whether you want to use TLS:
Configmap for connecting to LogDNA using TLS (recommended)
apiVersion: v1 metadata: name: zen-audit-config data: ca.pem: | -----BEGIN CERTIFICATE----- <XXXXXXXXX> -----END CERTIFICATE----- fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type logdna api_key YOUR-APIKEY # API key from snippet ingester_domain HOST # LogDNA ingester domain address hostname <CPD-HOSTNAME> app <ZEN-AUDIT> buffer_chunk_limit 1m flush_at_shutdown true tls true # Required to use TLS ca_file /fluentd/config/ca.pem # Required to use TLS; specify the cert in the ca.pem section </store> </match>
Configmap for connecting to LogDNA without TLS
apiVersion: v1 metadata: name: zen-audit-config data: fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type logdna api_key YOUR-APIKEY # API key from snippet ingester_domain HOST # LogDNA ingester domain address hostname <CPD-HOSTNAME> app <ZEN-AUDIT> buffer_chunk_limit 1m flush_at_shutdown true </store> </match>
- Add the
- Save the changes to the
zen-audit-config
configmap. For example, if you are usingvi
, hit esc and enter :wq. - Delete all
zen-audit
pods to force a restart to pick up changes:- Get the list of
zen-audit
pods:oc get pods | grep zen-audit
- Delete the
zen-audit
pods.Tip: If there are multiplezen-audit
pods, delete each pod individually to avoid a forced restart.oc delete pods zen-audit-xxxxxx-xxx
Replace
zen-audit-xxxxxx-xxx
with the ID returned by theoc get pods
command.
- Get the list of
Create a custom configmap
You can create a custom configmap to connect to your LogDNA environment.
From the Cloud Pak for Data cluster:
- Change to the project where Cloud Pak for Data is
installed:
oc project ${PROJECT_CPD_INSTANCE}
- Set the following environment variables:
- Set
CONFIGMAP_NAME
to the name that you want to use for the custom configmap:export CONFIGMAP_NAME=<configmap-name>
- If you want to use TLS, set
TLS_CERT
to the TLS certificate:export TLS_CERT=<certificate>
- Set
CPD-HOSTNAME
to the hostname of the Cloud Pak for Data server:export CPD-HOSTNAME=<hostname>
This value appears in the records that are sent to LogDNA. This information helps you determine which Cloud Pak for Data instance the audit records are coming from.
- Set
ZEN-AUDIT
to the name that you use for Cloud Pak for Data.export ZEN-AUDIT=<app-name>
This value appears in the records that are sent to LogDNA. This information helps you understand which application the audit records are coming from.
- Set
- Create the configmap:
Configmap for connecting to LogDNA using TLS (recommended)
cat <<EOF | oc apply -f - apiVersion: v1 kind: ConfigMap metadata: name: ${
CONFIGMAP_NAME
} namespace: ${PROJECT_CPD_INSTANCE} data: ca.pem: | -----BEGIN CERTIFICATE----- ${TLS_CERT
} -----END CERTIFICATE----- fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type logdna api_key YOUR-APIKEY # API key from snippet hostname ${CPD-HOSTNAME
} app ${ZEN-AUDIT
} # mac C0:FF:EE:C0:FF:EE # optional mac address buffer_chunk_limit 1m flush_at_shutdown true tls true # Required to use TLS ca_file /fluentd/config/ca.pem # Required to use TLS; specify the cert in the ca.pem section </store> </match> EOF
Configmap for connecting to LogDNA without TLS
cat <<EOF | oc apply -f - apiVersion: v1 kind: ConfigMap metadata: name: ${
CONFIGMAP_NAME
} namespace: ${PROJECT_CPD_INSTANCE} data: fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type logdna api_key YOUR-APIKEY # API key from snippet hostname ${CPD-HOSTNAME} app ${ZEN-AUDIT
} # mac C0:FF:EE:C0:FF:EE # optional mac address buffer_chunk_limit 1m flush_at_shutdown true </store> </match> EOF
- Patch the
zenService
custom resource to specify the custom configmap:oc patch zenService lite-cr \ -n ${PROJECT_CPD_INSTANCE} \ --type='json' \ --patch '[{"op": "replace", "path":"/spec/zen_audit_config_custom", "value": '${
CONFIGMAP_NAME
}' }]' - Delete all
zen-audit
pods to force a restart to pick up changes:- Get the list of
zen-audit
pods:oc get pods | grep zen-audit
- Delete the
zen-audit
pods.Tip: If there are multiplezen-audit
pods, delete each pod individually to avoid a forced restart.oc delete pods zen-audit-xxxxxx-xxx
Replace
zen-audit-xxxxxx-xxx
with the ID returned by theoc get pods
command.
- Get the list of
Results
After the changes are applied, new audit events from Cloud Pak for Data are sent to LogDNA.