Configuring your cluster to forward audit logs

You can enable audit logging for individual services to forward your audit logs to SIEM.

For more information about generating audit logs, see Configuring your cluster to generate various audit logs.

Enabling and disabling forwarding for audit logging

By default, forwarding is disabled. Each plug-in has a separate ConfigMap. For more information about audit logging ConfigMaps, see the following table:

Enable and disable forwarding for audit logging from the console with following steps:

1. Log in to your cluster.

2. From the Red Hat® OpenShift® Container Platform console, click Workloads > ConfigMap.

3. Select the audit-logging-fluentd-ds-config ConfigMap.

4. Click the Options icon () icon and click Edit.

5. Enable forwarding for audit logging by setting the ENABLE_AUDIT_LOGGING_FORWARDING parameter value to true.

6. Disable forwarding for audit logging by setting the ENABLE_AUDIT_LOGGING_FORWARDING parameter value to false. If you disable forwarding, ignore step 7.

7. Forward your audit logs to SIEM.

   Note: There is one input plug-in configuration file and multiple output plug-in configuration files in your ConfigMap. Be sure to use only one output plug-in at a time.

   • Edit the audit-logging-fluentd-ds-config file to forward audit logs to IBM QRadar with SIEM by uncommenting @include /fluentd/etc/remoteSyslog.conf. You must keep other output plug-ins commented.

     • Edit the audit-logging-fluentd-ds-remote-syslog-config and add the following information for IBM QRadar with SIEM: IBM QRadar server host name, port number, and log identifier. For more information about updating the audit-logging-fluentd-ds and audit-logging-fluentd-ds-remote-syslog-config files, see Configuring your cluster to send audit logs over TLS to IBM QRadar.

   • Edit the audit-logging-fluentd-ds-config file to forward to Splunk by uncommenting @include /fluentd/etc/splunkHEC.conf. You must keep other output plug-ins commented.

     • Edit the audit-logging-fluentd-ds-splunk-hec-config and add the following information for Splunk: Splunk server host name, port number, and HEC token. For more information about updating the audit-logging-fluentd-ds and audit-logging-fluentd-ds-splunk-hec-config files, see Integrating your cluster with Splunk.

8. Click Submit

9. Remove all pods of the audit-logging-fluentd-ds daemonset. Your pods are re-created automatically.

   • Remove the pods from the console:

     1. Log in to your cluster.
     2. From the Red Hat OpenShift Container Platform console, click Workloads > DaemonSets.
     3. Locate and click the audit-logging-fluentd-ds daemonset.
     4. From the Pods section, delete each pod by clicking the Options icon ().
     5. Click Remove.

   • Remove the pods with the Kubernetes CLI by running the following command:

      kubectl get pod -n ibm-common-services -o wide | grep audit-logging-fluentd-ds- | awk '{print $1}' | xargs kubectl delete pod -n ibm-common-services
     

Note: Fluentd has an input plug-in that reads audit logs from journald. The plug-in is included in the audit-logging-fluentd-ds-source-config ConfigMap file.

The default path of journald is /run/log/journal. You can set a different path during cluster installation. For example, /var/log/journal. If you change the default journald path, you must update the path in following files:

• Update path in the audit-logging-fluentd-ds-source-config configmap file.

  1. From the Red Hat OpenShift Container Platform console, click Workloads > ConfigMap.
  2. Select the audit-logging-fluentd-ds-source-config configmap.
  3. Click the Options icon () and click Edit.
  4. Ensure path value for tag icp-audit is the journald path that you set during installation. For example, /var/log/journal or any other path that you set for journald.
  5. Click Submit.

• Update the journald path in the auditLogging spec of the OperandConfig API file.