Exporting IBM Software Hub audit records to the cluster

You can optionally publish the audit logs to the zen-audit pod stdout logs on the cluster where IBM Software Hub is installed.

Who needs to complete this task?

To complete this task on the primary IBM Software Hub cluster, you must have one of the following roles:

Cluster administrator
Instance administrator

To complete this task on a remote physical location, you must have one of the following roles:

Cluster administrator
An administrator of the management namespace on the remote physical location.

When do you need to complete this task?

Complete this task if you want to export IBM Software Hub audit records to the cluster.

If you have multiple instances of IBM Software Hub, you must complete this task for each instance of IBM Software Hub from which you want to export your audit records.
If you have multiple remote physical locations, you must complete this task for each remote physical location from which you want to export audit records.
Best practice: Use the same configuration for exporting audit records from the primary instance of IBM Software Hub and from any remote physical locations associated with the primary instance of IBM Software Hub.

Before you begin

Best practice: You can run many of the commands in this task exactly as written if you set up environment variables for your installation. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

Important: This method is not recommended for long-term record management. Instead, this method is useful to validate that all of the records that are generated by the Audit Logging Service are sent to your SIEM system.

Update the `zen-audit-secret` secret

On the cluster from which you want to export audit records:

Create a file called local-fluent.conf:

cat << EOF > ./local-fluent.conf
<match records records.** syslog syslog.**>      
    @type copy 
    <store>    
      @type stdout
    </store>
</match>
EOF

Update the zen-audit-secret secret:

Primary IBM Software Hub cluster

Primary IBM Software Hub cluster

oc patch secret zen-audit-secret \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch='{"data":{"fluent.conf":"'$(cat local-fluent.conf | base64 -w0)'"}}'

Remote physical location

oc patch secret zen-audit-secret \
--namespace=${REMOTE_PROJECT_MANAGEMENT} \
--type=merge \
--patch='{"data": {"fluent.conf": "'$(cat local-fluent.conf | base64 -w0)'"}}'

Delete all zen-audit pods to force a restart to pick up changes:
1. Get the list of zen-audit pods:
```
oc get pods | grep zen-audit
```
2. Delete the zen-audit pods.
  Tip: If there are multiple zen-audit pods, delete each pod individually to avoid a forced restart.
```
oc delete pods zen-audit-xxxxxx-xxx
```
  Replace zen-audit-xxxxxx-xxx with the ID returned by the oc get pods command.

Results

After the changes are applied, new audit events from IBM Software Hub are sent to the zen-audit pod stdout logs.

For more information about the audit events, see:

What to do next

If you use the Identity Management Service, complete Enabling auditing for the Identity Management Service.