Audit logging in IBM Cloud Private
The audit logging feature in IBM Cloud Private provides the capability to collect audit logs generated by various platform services and the Kubernetes API server and send them to Elasticsearch or Security information and event management (SIEM).
There are two types of audit logs:
- Audit logs that are generated by Kubernetes API server
- Audit logs that are generated by platform services
Audit log format
Audit data that is generated within platform services conforms to the Cloud Auditing Data Federation (CADF) standard. The CADF event is logged in JSON format. Audit data that is generated by the Kubernetes API server uses the "AdvancedAuditing" feature and is in JSON format as well.
Location of audit logs
The audit data that is generated within each service is first sent to systemd journal on the node where the service is running. The audit data that is generated by the Kubernetes API server is saved to /var/log/k8saudit/audit.log
on
the node. A fluentd daemonset is deployed as part of audit logging. On each node, fluentd retrieves the audit data from systemd journal log and also from the Kubernetes audit log and sends the data to Elasticsearch or SIEM. The Elasticsearch or
SIEM service that receives the audit data is the same service that is deployed for collecting application logs. A separate bucket, such as an index, is created in Elasticsearch or SIEM for audit data.
Enabling and disabling audit logging for IBM Cloud Private services
Complete the following steps to enable or disable audit logging.
- From the navigation menu, click Configuration > ConfigMap
- Search for the ConfigMap of the service for which you want to enable logging. Click Edit.
- Set the key related to auditing to
true
orfalse
to enable or disable audit logging for that service. Click Submit. -
Remove all the pods that belong to the service. The pods are re-created with auditing enabled or disabled. You can view services in the following locations:
- From the navigation menu, click Workload > DaemonSets.
- From the navigation menu, click Workload > Deployments.
For more information, see Table 1. IBM Cloud Private services and the ConfigMaps where the audit-related keys are set..
Viewing audit data on Kibana dashboards
Access to audit data in Elasticsearch or SIEM is provided through Kibana. Only users that are assigned the Auditor
role or cluster administrator
role can view the audit data. Further restrictions based on the namespaces
are also applicable. Users assigned the Auditor
role or cluster administrator
role can only view audit data that belongs to the namespaces to which they have access. For detailed information about audit data access, see
IBM Cloud Private logging.
For information about enabling Kubernetes auditing, see Generating Kubernetes Audit Logs.