Audit logging in your cluster

The audit logging feature in your product provides the capability to collect audit logs generated by various platform services and send them to Security information and event management (SIEM).

Audit log format

Audit data that is generated within platform services conforms to the Cloud Auditing Data Federation (CADF) standard. The CADF event is logged in JSON format.

Location of audit logs

The audit data that is generated within each service is first sent to systemd journal on the node where the service is running. A fluentd daemonset is deployed as part of audit logging. On each node, fluentd retrieves the audit data from systemd journal log and sends the data to SIEM. The SIEM service that receives the audit data is the same service that is deployed for collecting application logs. A separate bucket, such as an index, is created in SIEM for audit data.

Enabling and disabling audit logging for your product services

Complete the following steps to enable or disable audit logging.

1. From the navigation menu, click Configuration > ConfigMap
2. Search for the ConfigMap of the service for which you want to enable logging. Click Edit.
3. Set the key related to auditing to true or false to enable or disable audit logging for that service. Click Submit.
4. Remove all the pods that belong to the service. The pods are re-created with auditing enabled or disabled. You can view services in the following locations:
   • From the navigation menu, click Workload > DaemonSets.
   • From the navigation menu, click Workload > Deployments.

For more information, see Table 1. Your product services and the ConfigMaps where the audit-related keys are set.