Audit logging in IBM Cloud Private

The audit logging feature in IBM Cloud Private provides the capability to collect audit logs generated by various platform services and the Kubernetes API server and send them to Elasticsearch or Security information and event management (SIEM).

There are two types of audit logs:

• Audit logs that are generated by Kubernetes API server
• Audit logs that are generated by platform services

Audit log format

Audit data that is generated within platform services conforms to the Cloud Auditing Data Federation (CADF) standard. The CADF event is logged in JSON format. Audit data that is generated by the Kubernetes API server uses the "AdvancedAuditing" feature and is in JSON format as well.

Location of audit logs

The audit data that is generated within each service is first sent to systemd journal on the node where the service is running. The audit data that is generated by the Kubernetes API server is saved to /var/log/k8saudit/audit.log on the node. A fluentd daemonset is deployed as part of audit logging. On each node, fluentd retrieves the audit data from systemd journal log and also from the Kubernetes audit log and sends the data to Elasticsearch or SIEM. The Elasticsearch or SIEM service that receives the audit data is the same service that is deployed for collecting application logs. A separate bucket, such as an index, is created in Elasticsearch or SIEM for audit data.

Enabling and disabling audit logging for IBM Cloud Private services

Complete the following steps to enable or disable audit logging.

1. From the navigation menu, click Configuration > ConfigMap
2. Search for the ConfigMap of the service for which you want to enable logging. Click Edit.
3. Set the key related to auditing to true or false to enable or disable audit logging for that service. Click Submit.

4. Remove all the pods that belong to the service. The pods are re-created with auditing enabled or disabled. You can view services in the following locations:

   • From the navigation menu, click Workload > DaemonSets.
   • From the navigation menu, click Workload > Deployments.

   For more information, see Table 1. IBM Cloud Private services and the ConfigMaps where the audit-related keys are set..

Viewing audit data on Kibana dashboards

Access to audit data in Elasticsearch or SIEM is provided through Kibana. Only users that are assigned the Auditor role or cluster administrator role can view the audit data. Further restrictions based on the namespaces are also applicable. Users assigned the Auditor role or cluster administrator role can only view audit data that belongs to the namespaces to which they have access. For detailed information about audit data access, see IBM Cloud Private logging.

For information about enabling Kubernetes auditing, see Generating Kubernetes Audit Logs.