Audit logging

Audit messages are generated and sent to the platform for all API requests to the IBM® Security QRadar® SOAR application. For every user action on the user interface, an audit logging message is generated. Audit logging is disabled by default.

About this task

Audit log messages are in Cloud Auditing Data Federation (CADF) format and include following properties about the request:

The time of request, logged as eventTime.
The request method, such as put or post, logged as target > typeUri.
The request URL, logged as target>name.
The response code, logged as reasonCode.
The user associated with request, the JWT token sub value, logged as initiator>id and initiator>name.

Audit messages are logged to a centralized location and forwarded to your SIEM where they are retained, for example, audit messages might be forwarded to an external tool or application, such as Splunk and QRadar. For more information about audit logging for QRadar, see Configuring audit log forwarding for QRadar Suite Software.

If the http request to send the audit log message fails, the error is logged.

Enabling audit log forwarding

Procedure

Create the CP4SConfiguration CR.

This CR enables the audit log forwarding and contains information about the SIEM and other optional configurations.

Create a CP4SConfiguration CR .yaml file with the following content.

apiVersion: isc.ibm.com/v1
kind: CP4SConfiguration
metadata:
  name: enable-audit
spec:
  values:
  - audit.syslog.enableSIEM=true
  - audit.syslog.host=logs-<SIEM-hostname>
  - audit.syslog.port=6514
  - audit.syslog.enableTLS=true
  - audit.syslog.hostname=<cp4s_identifier>

Apply the CP4SConfiguration CR by typing the following command, where <file_name> is the name of the .yaml file that you created in previous step.
```
oc apply -f <file_name>.yaml
```
- A fluentd pod (audit-fluentd-yyyyyyyyyy-xxxxx) starts on the same namespace.
- Audit logs are forwarded to the SIEM.

Disabling audit log forwarding

You can disable audit log forwarding globally for all services or individually only for specific services.

Disabling globally

Procedure

To disable audit log forwarding globally, you need to remove the CP4SConfiguration CR by running the following command:

oc delete CP4SConfiguration enable-audit

Disabling for single applications

When audit log forwarding is enabled globally in the cluster, it is enabled for all services by default. You can individually disable audit log forwarding for specific services.

About this task

You can individually disable audit log forwarding for the following services:

aitk.audit=false
audit.cases.enabled=false
authsvc.audit=false
car.audit=false
clx.audit=false
de.audit=false
drc.audit=false
drcapi.audit=false
edgegateway.audit=false
entitlements.audit=false
iscauth.audit=false
pulse.audit=false
qproxy.audit=false
riskmanager.audit=false
threatinv.audit=false
tii.tiiapp.audit=false
tii.tiireports.audit=false
tii.tiisearch.audit=false
tii.tiisettings.audit=false
tii.tiithreats.audit=false
tisvars.audit=false
udi.audit=false

Procedure

To disable audit log forwarding for specific services, create a new CR and add the services that you want to disable.

The following example disables audit log forwarding for the authsvc and clx services:

apiVersion: isc.ibm.com/v1
kind: CP4SConfiguration
metadata:
  name: tune-audit
spec:
  values:
  - authsvc.audit=false
  - clx.audit=false

Important:

The new CR must have a different name. In this example, the new CR is named tune-audit.
To rollback the changes, the created tune-audit CR must be edited or deleted.

Adding a CA Certificate to IBM Security QRadar Suite

If your TLS certificate is not signed by a well-known certificate authority (CA), create a new secret on IBM Security QRadar Suite.

Procedure

Login to IBM Security QRadar Suite backend (oc login).
Create the audit-certs secret by running the following command, where <ca_cert_file> is the CA root certificate.
```
oc create secret generic audit-certs --from-file=syslog.crt=<ca_cert_file>
```