Auditing Secure Tunnel operations and connections
You can check Secure Tunnel configuration changes, such as tunnel network or port forward configuration changes, and tunnel connections on IBM Cloud Pak console for auditing.
Viewing Secure Tunnel audit logs
- Go to Administer > Tunnel audit on IBM Cloud Pak console.
- In the Operation tab, you can see the operation logs in the last three days by default. You can filter the logs by changing the start time and end time in the Start time and End time fields.
- Click the Connection tab, you can see the connection logs in the last three days by default. You can filter the logs by changing the start time and end time in the Start time and End time fields.
Configuring Secure Tunnel audit logs
Secure Tunnel can send audit logs to its container log, a MongoDB database, and a remote syslog server. By default, Secure Tunnel sends audit logs into its container log, and thus you can't see audit logs on IBM Cloud Pak console. To check audit logs on IBM Cloud Pak console, you need to send audit logs to MongoDB. To check audit logs on the query user interface of a specific syslog, you need to send audit logs to the remote syslog server.
-
To make Secure Tunnel send audit logs to its container log, set the
showInConsolefield tofalse. -
To make Secure Tunnel send audit logs to MongoDB, click Operators > Installed Operators >Project: kube-system > IBM Management Secure Tunnel > Tunnel > sre-tunnel > YAML on the OpenShift Container Platform console, and configure the YAML as follows:
auditReceivers: - type: mongodb name: mongodb passwordSecretName: <mongodb-credentail-secret-name> passwordSecretNamespace: <mongodb-credentail-secret-namespace> mongoConnectString: <mongodb-connect-string> mongoDatabaseName: <mongodb-connect-database> tlsSecret: <mongodb-tls-secret-name> tlsSecretNamespace: <mongodb-tls-secret-namespace> -
To make Secure Tunnel send audit logs to a remote syslog server, click Operators > Installed Operators > Project: kube-system > IBM Management Secure Tunnel > Tunnel > sre-tunnel > YAML on the OpenShift Container Platform console, and configure the YAML as follows:
auditReceivers: - type: syslog name: syslog syslogAddress: <syslog-server-address with port>
| Parameter name | Description | Default | Example |
|---|---|---|---|
| auditReceivers[n].name | The name that you input for the audit receiver. | "" | my-mongodb |
| auditReceivers[n].mongoAddress | The endpoint of the MongoDB server. | "" | 9.46.89.42:27017 |
| auditReceivers[n].passwordSecretName | The name of the Kubernetes secret that saved the MongoDB username and password. | "" | mongodb-admin |
| auditReceivers[n].passwordSecretNamespace | The namespace of the Kubernetes secret that saved the MongoDB username and password. | "" | kube-system |
| auditReceivers[n].mongoConnectString | The connect string of MongoDB. (If mongoAddress is set, you can ignore this parameter.) |
"" | mongodb://9.46.89.42:27017 |
| auditReceivers[n].mongoDatabaseName | The name that you input for the audit log database. | "" | auditlog |
| auditReceivers[n].tlsSecret | The name of the Kubernetes secret that saved the SSL certificate of the MongoDB service. | "" | secret-name |
| auditReceivers[n].tlsSecretNamespace | The namespace of the Kubernetes secret that saved the SSL certificate of the MongoDB service. | "" | kube-system |
| auditReceivers[n].syslogAddress | The syslog server address. | "" | syslog-hostname:5514 |
Notes:
-
If MongoDB uses username and password, you need to create a Kubernetes secret to save the username and password as follows, and designate the parameter auditReceivers[n].passwordSecretName in the tunnel YAML.
kind: Secret apiVersion: v1 metadata: name: <password-secret-name> namespace: <any-name-space> data: password: cUlaOHlLWTE1ZmFuVg== user: T2V1S2ljd1E= type: Opaque -
If MongoDB uses SSL certificate, you need to create a Kubernetes secret to save the certificate as follows, and designate the parameter auditReceivers[n].tlsSecret in the tunnel YAML.
kind: Secret apiVersion: v1 metadata: name: <tls-secret-name> namespace: <any-name-space> data: ca.crt: >- LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJakNDQWdxZ0F3SUJBZ0lSQU5RSzZDWGErQ2pQZ0w0UENPS0pVY013RFFZSktvWklodmNOQ tls.crt: >- LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLVENDQWhHZ0F3SUJBZ0lRWVdVMWFzTmJtb1BBOFowREljeFNyVEFOQmdrcWhraUc5dzBCQ tls.key: >- LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeTFvb1REYzRsR3RYMXJSc2RKbnVLZWZPcTJWeFpqVlVtTklma type: kubernetes.io/tls
Examples
-
Use MongoDB as the audit receiver with connect strings.
-
Install MongoDB. MongoDB can be installed anywhere that the tunnel server can access, such as Hub Cluster, Linux® system, or as a container. For more information about MongoDB installation and configuration, see Install MongoDB.
-
Run MongoDB as a container by running the following command on a VM where the Docker server is installed:
docker run --rm -it -p 27017:27017 mongo -
Update the Secure Tunnel CR.
auditReceivers: - mongoAddress: '<The IP of the VM that the MongoDB container running in>:27017' name: mongodblog mongoDatabaseName: audit-example type: mongodb
-
-
Use syslog as the audit receiver.
auditReceivers: - type: syslog name: my-syslog syslogAddress: '9.46.89.42:5514' -
Disable audit logging in the Secure Tunnel container log, and use both MongoDB and syslog as the audit receivers.
showInConsole: false auditReceivers: - mongoAddress: '<The IP of the VM that the mongoDB container running in>:27017' name: mongodblog mongoDatabaseName: audit-example type: mongodb - type: syslog name: my-syslog syslogAddress: '9.46.89.42:5514'