Configuring your cluster to forward audit logs

You can enable audit logging for individual services to forward your audit logs to SIEM.

For more information on generating audit logs see, Configuring your cluster to generate audit logs.

Enabling and disabling forwarding for audit logging

By default, forwarding is disabled. Each plug-in has a separate ConfigMap. See the following table for more information about audit logging ConfigMaps:

Table 1. Audit logging ConfigMaps
ConfigMap Description
audit-logging-fluentd-ds-config This ConfigMap is the primary ConfigMap for audit logging. Source plug-ins and output plug-ins are imported to this ConfigMap.
audit-logging-fluentd-ds-source-config Source plug-in ConfigMap
audit-logging-fluentd-ds-remote-syslog-config IBM QRadar output plug-in ConfigMap
audit-logging-fluentd-ds-splunk-hec-config Splunk output ConfigMap

Enable and disable forwarding for audit logging from the console with following steps:

  1. Log in to your product cluster.

  2. From the navigation menu, click Configuration > ConfigMap.

  3. Select the audit-logging-fluentd-ds-config ConfigMap.

  4. Click the Options icon Options icon icon and click Edit.

  5. Enable forwarding for audit logging by setting the ENABLE_AUDIT_LOGGING_FORWARDING parameter value to true.

  6. Disable forwarding for audit logging by setting the ENABLE_AUDIT_LOGGING_FORWARDING parameter value to false. If you disable forwarding, ignore step 7.

  7. Forward your audit logs to SIEM.

    Note: There is one input plug-in configuration file and multiple output plug-in configuration files in your ConfigMap. Be sure to use only one output plug-in at a time.

    • Edit the audit-logging-fluentd-ds-config file to forward audit logs to IBM QRadar with SIEM by uncommenting @include /fluentd/etc/remoteSyslog.conf. You must keep other output plug-ins commented.

      • Edit the audit-logging-fluentd-ds-remote-syslog-config and add the following information for IBM QRadar with SIEM: IBM QRadar server host name, port number, and log identifier. For more information to update the audit-logging-fluentd-ds and audit-logging-fluentd-ds-remote-syslog-config files see Configuring your cluster to send audit logs over TLS to IBM QRadar.

    • Edit the audit-logging-fluentd-ds-config file to forward to Splunk by uncommenting @include /fluentd/etc/splunkHEC.conf. You must keep other output plug-ins commented.

      • Edit the audit-logging-fluentd-ds-splunk-hec-config and add the following information for Splunk: Splunk server host name, port number, and HEC token. For more information to update the audit-logging-fluentd-ds and audit-logging-fluentd-ds-splunk-hec-config files, see Integrating your cluster with Splunk.

  8. Click Submit

  9. Remove all pods of the audit-logging-fluentd-ds daemonset. Your pods are recreated automatically.

    • Remove the pods from the console:

      1. Log in to your product cluster.
      2. From the navigation menu, click Workload > DaemonSets.
      3. Locate and click the audit-logging-fluentd-ds daemonset.
      4. From the Pods section, delete each pod by clicking the Options icon Options icon.
      5. Click Remove.

    • Remove the pods with the Kubernetes CLI by running the following command:

       kubectl get pod -n kube-system -o wide | grep audit-logging-fluentd-ds- | awk '{print $1}' | xargs kubectl delete pod -n kube-system

Note: Fluentd has an input plug-in that reads audit logs from journald. The plug-in is included in the audit-logging-fluentd-ds-source-config ConfigMap file.

The default path of journald is /run/log/journal. You can set a different path during cluster installation. For example, /var/log/journal. If you change the default journald path, you must update the path in following files: