Find out how to configure Event Endpoint Management to log audit data that enables administrators to monitor user activity and identify security breaches.
Event model
Event Endpoint Management uses the event model that is defined by the Cloud Auditing Data Federation (CADF) to record auditable events that arise from interaction with users and other systems. In this model, events are recorded against resources, which can be infrastructure components such as servers, applications or databases, or business entities, such as users, accounts and roles. In general terms, the CADF model creates audit records that follow a basic pattern:
- An
observerresource records anactionperformed by aninitiatorresource against atargetresource that results in a specificoutcome.
In Event Endpoint Management, the observer is the Event Manager. The observer can record three types of events:
- Monitoring: Information about the status of a resource.
- Activity: Information about the change in a resource’s state or configuration.
- Control: Information about how policies or constraints apply to a resource’s operation.
The observer also attaches more contextual information to the event record, such as a timestamp, severity, and descriptive message.
Examples
The following are examples of audit events that are logged by the Event Manager that show the event model in use:
- Creating a user
shenwith roleviewer:{ "id": "8deefc4d-c3a6-4802-a368-f553d559496d", "eventTime": "2024-06-10T09:11:25.217703389Z", "eventType": "ACTIVITY", "action": "UPDATE", "severity": "CRITICAL", "outcome": "SUCCESS", "initiator": { "id": "/opt/ibm/eim-backend/roles/user-mapping.json", "ip": "127.0.0.1", "type": "http://schemas.dmtf.org/cloud/audit/1.0/taxonomy/resource/data/file" }, "observer": { "app": "ibm-event-endpoint-management", "class": "PlaintextJsonFileAuthorizationProvider" }, "target": { "id": "role-mappings/shen", "type": "http://schemas.dmtf.org/cloud/audit/1.0/taxonomy/resource/storage/memory/cache" }, "message": "shen created with roles viewer" } - User
kevinupdating a cluster:{ "id": "53f316ee-a91b-4825-a429-befc5daf4d98", "eventTime": "2024-07-02T15:51:07.580379030Z", "eventType": "ACTIVITY", "action": "UPDATE", "severity": "NORMAL", "outcome": "SUCCESS", "initiator": { "id": "kevin", "ip": "10.89.0.58:60884", "type": "http://schemas.dmtf.org/cloud/audit/1.0/taxonomy/resource/data/file" }, "observer": { "app": "ibm-event-endpoint-management", "class": "AuditHelpers" }, "target": { "id": "eem/Cluster/6f77be05-dacc-481a-a995-36413ece43ee", "type": "http://schemas.dmtf.org/cloud/audit/1.0/taxonomy/resource/data/file" }, "message": "Data accessed : Cluster" }
Configuring audit logging
Event Endpoint Management can be configured to produce audit logging in one of three formats:
CADF: The audit log output follows the full JSON format for logging defined by CADF.SIMPLE: A succinct version of theCADFformat that contains only essential elements. The previous examples were produced by using this format.NONE: No audit logging is produced.
Event Endpoint Management can be configured to write audit logging to one of the following destinations:
FILE: Audit logging is written to a file in the Event Endpoint Management manager pod. Maximum file size, rotation, and retention can be configured with environment variables.STDOUT: Audit logging is written to the Event Endpoint Management manager pod logs as an INFO level log message.
Event Manager audit logging environment variables
The following environment variables can be used to control audit logging:
| Name | Possible values | Default | Notes |
|---|---|---|---|
AUDIT_LOG_FORMAT |
CADF, SIMPLE, NONE |
SIMPLE |
See Configuring Audit Logging |
AUDIT_LOG_WRITER |
FILE, STDOUT |
FILE |
See Configuring Audit Logging |
AUDIT_LOG_DIRECTORY |
string | /var/log/audit |
|
AUDIT_LOG_FILE |
string | eem-audit.log |
|
AUDIT_LOG_FILE_WRITER_MAX_FILES |
int | 5 | The maximum number of previous log files to be retained. |
AUDIT_LOG_FILE_WRITER_MAX_FILE_MBYTES |
int | 50 | The maximum size in Mb of log files before rotation to a new file. |
AUDIT_LOG_WRITE_INTERVAL_SECONDS |
int | 30 | The maximum interval in seconds before log entries are flushed to file. |
Environment variables can be set in the EventEndpointManagement custom resource as follows:
spec:
manager:
template:
pod:
spec:
containers:
- name: manager
env:
- name: <variable_name>
value: <variable_value>
- name: <variable_name>
value: <variable_value>
...
Event Gateway audit logging environment variables
Refer to the gateway properties reference for full details of the gateway audit logging properties.
Operator-managed gateway
Audit logging properties are configured as environment variables in the Event Gateway custom resource. Refer to the Event Gateway properties reference.
Kubernetes Deployment gateway
Specify the audit logging format and writer in the Event Gateway ConfigMap properties: audit.log.format and audit.log.writer.
Specify all other audit logging properties as environment variables in the Event Gateway Kubernetes Deployment.
Docker gateway
Specify audit logging properties as arguments in the docker run command.