You can enable audit logging for individual services to forward your audit logs to SIEM.
For more information about generating audit logs, see Configuring your cluster to generate various audit logs.
By default, forwarding is disabled. Each plug-in has a separate ConfigMap. For more information about audit logging ConfigMaps, see the following table:
| ConfigMap | Description |
|---|---|
| audit-logging-fluentd-ds-config | This ConfigMap is the primary ConfigMap for audit logging. Source plug-ins and output plug-ins are imported to this ConfigMap. |
| audit-logging-fluentd-ds-source-config | Source plug-in ConfigMap |
| audit-logging-fluentd-ds-remote-syslog-config | IBM QRadar output plug-in ConfigMap |
| audit-logging-fluentd-ds-splunk-hec-config | Splunk output ConfigMap |
Enable and disable forwarding for audit logging from the console with following steps:
Log in to your cluster.
From the Red Hat® OpenShift® Container Platform console, click Workloads > ConfigMap.
Select the audit-logging-fluentd-ds-config ConfigMap.
Click the Options icon () icon and click Edit.
Enable forwarding for audit logging by setting the ENABLE_AUDIT_LOGGING_FORWARDING parameter value to true.
Disable forwarding for audit logging by setting the ENABLE_AUDIT_LOGGING_FORWARDING parameter value to false. If you disable forwarding, ignore step 7.
Forward your audit logs to SIEM.
Note: There is one input plug-in configuration file and multiple output plug-in configuration files in your ConfigMap. Be sure to use only one output plug-in at a time.
Edit the audit-logging-fluentd-ds-config file to forward audit logs to IBM QRadar with SIEM by uncommenting @include /fluentd/etc/remoteSyslog.conf. You must keep other output plug-ins commented.
audit-logging-fluentd-ds-remote-syslog-config and add the following information for IBM QRadar with SIEM: IBM QRadar server host name, port number, and log identifier. For more information about updating the audit-logging-fluentd-ds and audit-logging-fluentd-ds-remote-syslog-config files, see Configuring your cluster to send audit logs over TLS to IBM QRadar.Edit the audit-logging-fluentd-ds-config file to forward to Splunk by uncommenting @include /fluentd/etc/splunkHEC.conf. You must keep other output plug-ins commented.
audit-logging-fluentd-ds-splunk-hec-config and add the following information for Splunk: Splunk server host name, port number, and HEC token. For more information about updating the audit-logging-fluentd-ds and audit-logging-fluentd-ds-splunk-hec-config files, see Integrating your cluster with Splunk. Click Submit
Remove all pods of the audit-logging-fluentd-ds daemonset. Your pods are re-created automatically.
Remove the pods from the console:
audit-logging-fluentd-ds daemonset.Remove the pods with the Kubernetes CLI by running the following command:
kubectl get pod -n ibm-common-services -o wide | grep audit-logging-fluentd-ds- | awk '{print $1}' | xargs kubectl delete pod -n ibm-common-services
Note: Fluentd has an input plug-in that reads audit logs from journald. The plug-in is included in the audit-logging-fluentd-ds-source-config ConfigMap file.
The default path of journald is /run/log/journal. You can set a different path during cluster installation. For example, /var/log/journal. If you change the default journald path, you must update the
path in following files:
Update path in the audit-logging-fluentd-ds-source-config configmap file.
audit-logging-fluentd-ds-source-config configmap.path value for tag icp-audit is the journald path that you set during installation. For example, /var/log/journal or any other path that you set for journald.Submit.Update the journald path in the auditLogging spec of the OperandConfig API file.