Auditing IM service

IM uses Rsyslog sidecar to send the IM related audit records to the Audit logging service of the foundational services, over TLS syslog connections.

By default, the Audit logs are disabled in IM. You can enable the auditing in IM by using the following methods:

Using the oc command

To enable the auditing in the IM by using the oc command, complete the following steps:

Pre-requisite: Install and configure the IBM Cloud Pak foundational services Audit logging service. For more information, see Configuring CommonAudit.

  1. Edit the platform-auth-idp configmap in the <foundational-services> namespace:

    oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp

  2. Set the following attribute values to true:

    • AUDIT_ENABLED_IDPROVIDER: 'true'
    • AUDIT_ENABLED_IDMGMT: 'true'

  3. Save the configmap.

  4. Delete the auth-idp pods.

    oc -n <your-foundational-services-namespace> delete pods <pod_name>

  5. To check whether the audit logs are generated, get into the icp-audit-service container of the auth-idp pod and check if the /var/log/audit/ log files are generated or not.

    oc exec -it <auth-idp-pod-name> -c icp-audit-service – bash

Once you complete these steps, the audit logs are forwarded to the appropriate SIEM tool that are configured within the <foundational-services> namespace .

Using the console

Pre-requisite: Install and configure the IBM Cloud Pak foundational services Audit logging service. For more information, see Configuring CommonAudit.

  1. Log in to the OpenShift Container Platform console.
  2. From the navigation menu, click Workloads > Config Maps.
  3. Search for platform-auth-idp.
  4. Click ... > Edit Config Map.

  5. Set the following attribute values to true:

    • AUDIT_ENABLED_IDPROVIDER: 'true'
    • AUDIT_ENABLED_IDMGMT: 'true'

    Note: A warning message, resource is managed by example-authentication and any modifications may be overwritten, is displayed. You can ignore this message.

  6. Click Save.

  7. From the navigation menu, click Workloads > Deployments.

  8. Locate auth-idp.

  9. Click ... > Edit Deployment. A window for editing displays.

  10. Click Save without making any change. This step is to reload the auth-idp pods with the latest ConfigMap values.

  11. Click auth-idp.

  12. Wait for some time. Then, check the status of the auth-idp pods in the Pods pane. The status of the pods must show as 4/4 under the Ready field name.

  13. To check whether the audit logs are generated, get into the icp-audit-service container of the auth-idp pod and check if the /var/log/audit/ log files are generated or not.