Exporting IBM Software Hub audit records to a security information and event management solution

You can configure IBM® Software Hub to forward audit records to a security information and event management (SIEM) solution, such as Splunk, Mezmo, QRadar, or Apache Kafka.

Overview

The Audit Logging Service is automatically installed when you install an instance of IBM Software Hub. However, you must enable and configure the Audit Logging Service if you want IBM Software Hub to collect and forward Cloud Auditing Data Federation (CADF) compliant audit records from the services that are associated with your IBM Software Hub deployment.

Tip: For details on the type of information that is included in the audit records, see Sample Cloud Pak for Data CADF Audit Records.

The Audit Logging Service is scoped to the project where the IBM Software Hub control plane is installed. If you install multiple instances of IBM Software Hub on the same cluster, each instance of the Audit Logging Service functions independently.

The CADF audit records for each instance are isolated from the other instances, and the records for each instance can be forwarded to different SIEM systems.

You can connect each instance of IBM Software Hub to one or more SIEM systems.

The Audit Logging Service uses Fluentd output plugins to forward and export audit records. When you enable the Audit Logging Service, you specify the external SIEM system that you want to forward the audit records to. The Audit Logging Service explicitly supports the following SIEM solutions:
  • Splunk
  • Mezmo
  • QRadar
  • Apache Kafka

You might be able to use another SIEM solution if it supports the Fluentd output plugins. Two of the most commonly used are the TCP/IP @type forward and RSYSLOG @type remote_syslog plugins.

You can also optionally forward the records to the zen-audit pod stdout log. The stdout log is not recommended for long-term audit record management. This configuration helps you confirm that all of the records are forwarded to your SIEM system.

Support for audit logging in services

Auditing logging is not supported by all components and services. For more information, see Services that support audit logging.

For information about the audit events that components and services generate, see Audit events.

Connecting to supported SIEM solutions

The configuration information for your SIEM is stored in a secret named zen-audit-secret.

Follow the appropriate steps to connect to your SIEM system:

Remember: You can connect each instance of IBM Software Hub to one or more SIEM systems. If you connect to multiple SIEM systems, you must use the same method to connect to each SIEM system.