Chapter 14. Configuring audit logging
Red Hat Advanced Cluster Security for Kubernetes provides audit logging features that you can use to check all the changes made in Red Hat Advanced Cluster Security for Kubernetes. The audit log captures all the PUT
and POST
events, which are modifications to Red Hat Advanced Cluster Security for Kubernetes. Use this information to troubleshoot a problem or to keep a record of important events, such as changes to roles and permissions. With audit logging you get a complete picture of all normal and abnormal events that happened on Red Hat Advanced Cluster Security for Kubernetes.
Audit logging is not enabled by default. You must enable audit logging manually.
Currently there is no message delivery guarantee for audit log messages.
14.1. Enabling audit logging
When you enable audit logging, every time there is a modification, Red Hat Advanced Cluster Security for Kubernetes sends an HTTP POST message (in JSON format) to the configured system.
Prerequisites
- Configure Splunk or another webhook receiver to handle Red Hat Advanced Cluster Security for Kubernetes log messages.
-
You must have
write
permission enabled on the Notifiers resource for your role.
Procedure
-
On the RHACS portal, navigate to Platform Configuration
Integrations. - Scroll down to the Notifier Integrations section and select Generic Webhook or Splunk.
- Fill in the required information and turn on the Enable Audit Logging toggle.
14.2. Sample audit log message
The log message has the following format:
{ "headers": { "Accept-Encoding": [ "gzip" ], "Content-Length": [ "586" ], "Content-Type": [ "application/json" ], "User-Agent": [ "Go-http-client/1.1" ] }, "data": { "audit": { "interaction": "CREATE", "method": "UI", "request": { "endpoint": "/v1/notifiers", "method": "POST", "payload": { "@type": "storage.Notifier", "enabled": true, "generic": { "auditLoggingEnabled": true, "endpoint": "http://samplewebhookserver.com:8080" }, "id": "b53232ee-b13e-47e0-b077-1e383c84aa07", "name": "Webhook", "type": "generic", "uiEndpoint": "https://localhost:8000" } }, "status": "REQUEST_SUCCEEDED", "time": "2019-05-28T16:07:05.500171300Z", "user": { "friendlyName": "John Doe", "role": { "globalAccess": "READ_WRITE_ACCESS", "name": "Admin" }, "username": "john.doe@example.com" } } } }