Set up an audit log webhook for a Konnect org
You can use the Konnect UI or the Audit Logs API to configure webhooks for audit logging.
Webhooks are triggered via an HTTPS request using the following retry rules:
- Minimum retry wait time: 1 second
- Maximum retry wait time: 30 seconds
- Maximum number of retries: 4
A retry is performed on a connection error, server error (500
HTTP status code), or too many requests (429
HTTP status code).
Prerequisites
- A SIEM provider that supports the ArcSight CEF Format or raw JSON.
- Org Admin permissions
Configure your SIEM provider
Before you can push audit logs to your SIEM provider, configure the service to receive logs. This configuration is specific to your vendor.
-
In your log collection service, configure an HTTPS data collection endpoint you can send CEF or raw JSON data logs to. Konnect supports any HTTP authorization header type. Save the endpoint URL, this will be used later in Konnect.
-
Create and save an access key from your SIEM provider.
-
Configure your network’s firewall settings to allow traffic through the
8071
TCP or UDP port that Konnect uses for audit logging. See the Konnect ports and network requirements.
Create a webhook
Your webhook should now start receiving audit logs.