Configuring your cluster to send audit logs over TLS to IBM QRadar

You can configure your cluster to send audit logs over TLS to IBM QRadar.

By default, forwarding for audit logs is disabled. Update the audit-logging-fluentd-ds-config configuration map to forward audit logs to IBM QRadar. The audit-logging-fluentd-ds-config configuration map defines the Fluentd configuration.

Adding IBM QRadar server certificate to audit-certs secret

Note: All log sources that have IBM QRadar server certificates can send logs to IBM QRadar. IBM QRadar server certificates must have restricted access.

  1. Convert IBM QRadar server certificate into base64 by running the following command:

     cat public_key.pem | base64 -w 0
    
  2. From the Red Hat® OpenShift® Container Platform console, click Workloads > Secrets.

  3. Click the Options icon Options icon for audit-certs.
  4. Click Edit.
  5. Edit the audit-certs secret JSON file. Add "qradar.crt" as a parameter and add the IBM QRadar server certificate as a value for base64.
  6. Click Submit.

Updating audit-logging-fluentd-ds-config and audit-logging-fluentd-ds-remote-syslog ConfigMap files

Updating audit-logging-fluentd-ds-config ConfigMap files

  1. Log in to your cluster.
  2. From the Red Hat OpenShift Container Platform console, click Workloads > ConfigMaps.
  3. Click the Options icon Options icon for the audit-logging-fluentd-ds-config file.
  4. Click Edit.
  5. Enable forwarding for audit logging by setting the ENABLE_AUDIT_LOGGING_FORWARDING parameter value to true.
  6. Uncomment @include /fluentd/etc/remoteSyslog.conf to forward to IBM QRadar with SIEM. You must keep other output plug-ins commented.
  7. Click Submit.

Updating audit-logging-fluentd-ds-remote-syslog ConfigMap file

  1. Log in to your cluster.
  2. From the Red Hat OpenShift Container Platform console, click Workloads > ConfigMaps.
  3. Click the Options icon Options icon for the audit-logging-fluentd-ds-remote-syslog file.
  4. Click Edit.
  5. Add values for the following fields: QRadar server hostname, port number, and log source identifier.
  6. Click Submit.

Removing fluentd audit-logging-fluentd-ds-* pods

Remove all the fluentd pods of the audit-logging-fluentd-ds daemonset after you update the ConfigMaps.

- Complete the following steps to remove the pods of the `audit-logging-fluentd-ds` daemonset from the console:

1. Log in to your console.
2. From the Red Hat OpenShift Container Platform console, click **Workloads** > **DaemonSets**.
3. Click the `audit-logging-fluentd-ds` file.
4. From the _Pods_ section, remove the pods by clicking the **Options** icon ![Options icon](../../images/icons/menu-overflow_16.svg).
5. Click **Remove**.

- To remove the pods of `audit-logging-fluentd-ds` daemonset from the Kubernetes CLI, run the following command:
    ```
    kubectl get pod -n ibm-common-services -o wide | grep audit-logging-fluentd-ds- | awk '{print $1}' | xargs kubectl delete pod -n ibm-common-services
    ```

Adding hostAliases to audit-logging-fluentd-ds Daemonset deployment file

  1. Edit the audit-logging-fluentd-ds deployment by running the following command:

     kubectl -n ibm-common-services edit daemonset audit-logging-fluentd-ds
    
  2. Add the IBM QRadar server host name and IP address mapping to the deployment file. Your audit-logging-fluentd-ds file might resemble the following content:

     hostAliases:
        - hostnames:
          - <server machine name>.ibm.com
          ip: a.b.c.d
    
  3. Save the edited file.

The hostAliases for the audit-logging-fluentd-ds daemonset deployment file is added.