Set up an audit log webhook for Dev Portal
You can use the Konnect UI or the Audit Logs and Portal Management APIs to configure webhooks for audit logging.
Webhooks are triggered via an HTTPS request using the following retry rules:
- Minimum retry wait time: 1 second
- Maximum retry wait time: 30 seconds
- Maximum number of retries: 4
A retry is performed on a connection error, server error (500
HTTP status code), or too many requests (429
HTTP status code).
Note: Currently, Dev Portal audit logs only support authentication logs, which are triggered when a user logs in to Dev Portal.
Prerequisites
Before you can push audit logs to your SIEM provider, configure the service to receive logs.
This configuration is specific to your vendor.
-
In your log collection service, configure an HTTPS data collection endpoint you can send CEF or raw JSON data logs to. Konnect supports any HTTP authorization header type. Save the endpoint URL, this will be used later in Konnect.
-
Create and save an access key from your SIEM provider.
-
Configure your network’s firewall settings to allow traffic through the 8071
TCP or UDP port that Konnect uses for audit logging.
See the Konnect ports and network requirements.
Create a webhook
Before you configure the webhook, you must first create an audit log destination. This allows you to set your audit log destination (the endpoint URL for your SIEM provider) and reuse it.
- From Organization in the sidebar, click Audit Logs Setup.
- On the Webhook Destination tab, click New Webhook and configure the following:
-
Name: The name you want to display for the audit log destination.
-
Endpoint: The external endpoint that will receive audit log messages.
-
Authorization Header: The authorization type and credential to pass to your log collection endpoint.
Konnect will send this string in the Authorization
header of requests to that endpoint.
For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token:
"authorization":"Splunk example-token12234352535235"
.
-
Log Format: The output format of each log message. Can be CEF or JSON.
-
Disable SSL Verification: Disables SSL verification of the host endpoint when delivering payloads. We recommend disabling SSL verification only when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks.
-
To configure the Dev Portal audit log webhook, navigate to Dev Portal in the sidebar.
You can alternatively configure these settings by navigating to Organization > Audit Logs Setup under the Dev Portal tab.
- Click the Dev Portal you want to configure the webhook for and then click Settings.
- Click the Audit Logs tab.
- Enable the webhook and then select the SIEM provider endpoint from the Endpoint drop down menu. You can’t customize the events that Konnect sends to the logs.
- Click Save.
Now that you have an external endpoint and authorization credentials, you can set up an audit log destination in Konnect. The /audit_log_destinations
endpoint allows you to set your audit log destination, which includes the endpoint URL and access key for your SIEM provider, and reuse it.
-
Create an audit log destination by sending a request to the /audit-log-destinations
endpoint with the connection details for your SIEM provider:
curl -i -X POST https://global.api.konghq.com/v2/audit-log-destinations \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <personal-access-token>" \
--data '{
"endpoint": "https://example.com/audit-logs",
"authorization": "<SIEM-access-token>",
"log_format": "cef",
"name": "example destinations name"
}'
Be sure to replace the following placeholder values:
-
<personal-access-token>
: Your Konnect personal access token (PAT).
-
endpoint
: The external endpoint that will receive audit log messages. Check your SIEM documentation to find out where to send CEF or JSON data.
-
authorization
: The authorization type and credential to pass to your log collection endpoint.
Konnect will send this string in the Authorization
header of requests to that endpoint. For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235"
.
-
log_format
: The output format of each log message. Can be cef
or json
.
-
name
: A unique human-readable name to identify this destination.
-
skip_ssl_verification
: (Optional) Set to true
to skip SSL verification of the host endpoint when delivering payloads. We recommend skipping SSL verification only when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks.
If the request is successful, you will receive a 200
response code, and a response body containing the audit log destination’s configuration details. Be sure to save the audit log destination id
for the next step.
-
Create a webhook by sending a PATCH request to the /audit-log-webhook
endpoint with your configured audit log destination:
curl -i -X PATCH https://{region}.api.konghq.com/v2/portals/{portalId}/audit-log-webhook \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <personal-access-token>" \
--data '{
"audit_log_destination_id": "05atf3f2-9d07-4e46-8115-c58ca594d00e",
"enabled": true
}'
Be sure to replace the following placeholder values:
-
{region}.api.konghq.com
: The region your Dev Portal is located in. Can be us
, au
, or eu
.
-
<personal-access-token>
: Your Konnect personal access token (PAT).
-
{portalId}
: The ID of the Dev Portal with your webhook.
-
audit_log_destination_id
: The ID of the audit log destination that you want to use.
You can’t customize the events that Konnect sends to the logs.
If the request is successful, you will receive a 200
response code, and a response body containing the webhook’s configuration details.
Your webhook should now start receiving audit logs.
View audit log webhook status
-
In Dev Portal, click the Dev Portal you want to view the webhook status job for.
You can alternatively view your audit log webhook status by navigating to Organization > Audit Logs Setup. Under the Dev Portal tab, click the Dev Portal you want to view the log status for.
- Click Settings in the sidebar, then click the Audit Logs tab.
- Click the Status tab.
A badge will display next to the title of the webhook with the status of the webhook.
To see the last attempt timestamp and the last response code, use the audit log API.
View your audit log webhook status by sending a GET request to the /audit-log-webhook/status
endpoint:
curl -i -X GET https://{region}.api.konghq.com/v2/portals/{portalId}/audit-log-webhook/status \
--header "Authorization: Bearer <personal-access-token>"
Be sure to replace the following placeholder values:
-
{region}.api.konghq.com
: The region your Dev Portal is located in. Can be us
, au
, or eu
.
-
<personal-access-token>
: Your Konnect personal access token (PAT).
-
{portalId}
: The ID of the Dev Portal with your webhook.
You will receive a 200
response code and a response body with information about the webhook status:
{
"last_attempt_at": "2023-04-04T18:11:16Z",
"last_response_code": 200,
"webhook_enabled": true,
"webhook_status": "active"
}