Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
|
Kong Konnect
github-edit-pageEdit this page
report-issueReport an issue
Looking for the new Developer Portal beta docs? Try the beta now.

Set up an audit log webhook for Dev Portal

You can use the Konnect UI or the Audit Logs and Portal Management APIs to configure webhooks for audit logging.

Webhooks are triggered via an HTTPS request using the following retry rules:

  • Minimum retry wait time: 1 second
  • Maximum retry wait time: 30 seconds
  • Maximum number of retries: 4

A retry is performed on a connection error, server error (500 HTTP status code), or too many requests (429 HTTP status code).

Note: Currently, Dev Portal audit logs only support authentication logs, which are triggered when a user logs in to Dev Portal.

Prerequisites

Configure your SIEM provider

Before you can push audit logs to your SIEM provider, configure the service to receive logs. This configuration is specific to your vendor.

  1. In your log collection service, configure an HTTPS data collection endpoint you can send CEF or raw JSON data logs to. Konnect supports any HTTP authorization header type. Save the endpoint URL, this will be used later in Konnect.

  2. Create and save an access key from your SIEM provider.

  3. Configure your network’s firewall settings to allow traffic through the 8071 TCP or UDP port that Konnect uses for audit logging. See the Konnect ports and network requirements.

Create a webhook

Before you configure the webhook, you must first create an audit log destination. This allows you to set your audit log destination (the endpoint URL for your SIEM provider) and reuse it.

  1. From organizations icon Organization in the sidebar, click Audit Logs Setup.
  2. On the Webhook Destination tab, click New Webhook and configure the following:
    • Name: The name you want to display for the audit log destination.
    • Endpoint: The external endpoint that will receive audit log messages.

    • Authorization Header: The authorization type and credential to pass to your log collection endpoint. Konnect will send this string in the Authorization header of requests to that endpoint.

      For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235".

    • Log Format: The output format of each log message. Can be CEF or JSON.
    • Disable SSL Verification: Disables SSL verification of the host endpoint when delivering payloads. We recommend disabling SSL verification only when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks.

  3. To configure the Dev Portal audit log webhook, navigate to dev-portal icon Dev Portal in the sidebar.

    You can alternatively configure these settings by navigating to Organization > Audit Logs Setup under the Dev Portal tab.

  4. Click the Dev Portal you want to configure the webhook for and then click Settings.
  5. Click the Audit Logs tab.
  6. Enable the webhook and then select the SIEM provider endpoint from the Endpoint drop down menu. You can’t customize the events that Konnect sends to the logs.
  7. Click Save.

Now that you have an external endpoint and authorization credentials, you can set up an audit log destination in Konnect. The /audit_log_destinations endpoint allows you to set your audit log destination, which includes the endpoint URL and access key for your SIEM provider, and reuse it.

  1. Create an audit log destination by sending a request to the /audit-log-destinations endpoint with the connection details for your SIEM provider:

     curl -i -X POST https://global.api.konghq.com/v2/audit-log-destinations \
 --header "Content-Type: application/json" \
 --header "Authorization: Bearer <personal-access-token>" \
 --data '{
     "endpoint": "https://example.com/audit-logs",
     "authorization": "<SIEM-access-token>",
     "log_format": "cef",
     "name": "example destinations name"
 }'

    Be sure to replace the following placeholder values:

    • <personal-access-token>: Your Konnect personal access token (PAT).
    • endpoint: The external endpoint that will receive audit log messages. Check your SIEM documentation to find out where to send CEF or JSON data.
    • authorization: The authorization type and credential to pass to your log collection endpoint. Konnect will send this string in the Authorization header of requests to that endpoint. For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235".
    • log_format: The output format of each log message. Can be cef or json.
    • name: A unique human-readable name to identify this destination.
    • skip_ssl_verification: (Optional) Set to true to skip SSL verification of the host endpoint when delivering payloads. We recommend skipping SSL verification only when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks.

    If the request is successful, you will receive a 200 response code, and a response body containing the audit log destination’s configuration details. Be sure to save the audit log destination id for the next step.

  2. Create a webhook by sending a PATCH request to the /audit-log-webhook endpoint with your configured audit log destination:

     curl -i -X PATCH https://{region}.api.konghq.com/v2/portals/{portalId}/audit-log-webhook \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer <personal-access-token>" \
  --data '{
      "audit_log_destination_id": "05atf3f2-9d07-4e46-8115-c58ca594d00e",
      "enabled": true
  }'

    Be sure to replace the following placeholder values:

    • {region}.api.konghq.com: The region your Dev Portal is located in. Can be us, au, or eu.
    • <personal-access-token>: Your Konnect personal access token (PAT).
    • {portalId}: The ID of the Dev Portal with your webhook.
    • audit_log_destination_id: The ID of the audit log destination that you want to use.

    You can’t customize the events that Konnect sends to the logs.

    If the request is successful, you will receive a 200 response code, and a response body containing the webhook’s configuration details.

Your webhook should now start receiving audit logs.

View audit log webhook status

  1. In dev-portal icon Dev Portal, click the Dev Portal you want to view the webhook status job for.

    You can alternatively view your audit log webhook status by navigating to Organization > Audit Logs Setup. Under the Dev Portal tab, click the Dev Portal you want to view the log status for.

  2. Click Settings in the sidebar, then click the Audit Logs tab.
  3. Click the Status tab.

A badge will display next to the title of the webhook with the status of the webhook.

To see the last attempt timestamp and the last response code, use the audit log API.

View your audit log webhook status by sending a GET request to the /audit-log-webhook/status endpoint:

curl -i -X GET https://{region}.api.konghq.com/v2/portals/{portalId}/audit-log-webhook/status \
    --header "Authorization: Bearer <personal-access-token>"

Be sure to replace the following placeholder values:

  • {region}.api.konghq.com: The region your Dev Portal is located in. Can be us, au, or eu.
  • <personal-access-token>: Your Konnect personal access token (PAT).
  • {portalId}: The ID of the Dev Portal with your webhook.

You will receive a 200 response code and a response body with information about the webhook status:

{
    "last_attempt_at": "2023-04-04T18:11:16Z",
    "last_response_code": 200,
    "webhook_enabled": true,
    "webhook_status": "active"
}

More information