Set up an audit log webhook
You can use the Konnect UI or the Audit Logs API to configure webhooks for audit logging.
Webhooks are invoked via an HTTPS request using the following retry rules:
- Minimum retry wait time: 1 second
- Maximum retry wait time: 30 seconds
- Maximum number of retries: 4
A retry is performed on connection error, server error (500
HTTP status code), or too many requests (429
HTTP status code).
Notes:
Only supports HTTPS Webhook endpoints.
Prerequisites
You must have Org Admin permissions to set up audit log webhooks.
Before you can push Konnect audit logs to an external service, you also need to configure the service to receive logs.
This configuration is specific to your vendor.
You can configure a webhook into any application that supports the ArcSight CEF Format or raw JSON.
-
Check your SIEM documentation to find out where to send CEF or raw JSON data.
-
In your log collection service, configure a data collection endpoint to push logs to.
-
Take note of the authorization credentials that you need to access this endpoint. Konnect supports any HTTP authorization header type.
-
Configure your firewall settings to allow traffic through the port that you’re going to use.
See the Konnect ports and network requirements.
Create a webhook
- From the navigation menu, open Organization, then Audit Logs Setup.
- Fill in the fields in the Setup tab.
-
Region endpoint: The external endpoint that will receive audit log messages.
-
Authorization Header: The authorization type and credential to pass to your log collection endpoint.
Konnect will send this string in the Authorization
header of requests to that endpoint.
For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token:
"authorization":"Splunk example-token12234352535235"
.
-
Log Format: The output format of each log message. Can be CEF or JSON.
-
Skip SSL Verification: Skip SSL verification of the host endpoint when delivering payloads.
We strongly recommend not setting this to true
as you are subject to man-in-the-middle and other attacks. This option should be considered only when using self-signed SSL certificates in a non-production environment.
- Switch the toggle to
Enabled
, then save your webhook configuration.
Now that you have an external endpoint and authorization credentials, you can set up a webhook in Konnect.
Create a webhook by sending a request to the /audit-log-webhook
endpoint with the connection details for your SIEM vendor:
curl -i -X PATCH https://global.api.konghq.com/v2/audit-log-webhook \
--header "Content-Type: application/json" \
--header "Authorization: Bearer TOKEN" \
--data '{"endpoint":"https://example.com/audit-logs","enabled":true,"authorization":"Bearer example-token","log_format":"cef"}'
Replace the following placeholders with your own data:
-
global.api.konghq.com
: The region your org is in. Can be global
to target all regions, us
, or eu
.
-
TOKEN
: A Konnect personal access token or
system account token.
-
"endpoint":"https://example.com/audit-logs"
: The external endpoint that will receive audit log messages.
Check your SIEM documentation to find out where to send CEF data.
-
"authorization":"Bearer example-token"
: The authorization type and credential to pass to your log collection endpoint.
Konnect will send this string in the Authorization
header of requests to that endpoint.
For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235"
.
-
log_format
: The output format of each log message. Can be cef
or json
.
-
skip_ssl_verification
: (Optional) Set to true
to skip SSL verification of the host endpoint when delivering payloads.
We strongly recommend not setting this to true
as you are subject to man-in-the-middle and other attacks. This option should be considered only when using self-signed SSL certificates in a non-production environment.
If the request is successful, you will receive a 200
response code, and a response body containing the webhook’s configuration details:
{
"endpoint":"https://example.com/audit-logs",
"log_format":"cef",
"enabled":true,
"skip_ssl_verification":false,
"updated_at":"2023-04-01T00:00:01Z"
}
Your webhook should now start receiving audit logs.
View webhook configuration and status
You can view the status of your webhook through the Audit Logs Setup page under
Organization.
Notice the status badge next to title of the webhook. For example, the following webhook is active:
To find the last attempt timestamp and the last response code, use the audit log API.
View your audit log webhook configuration by running the following command:
curl https://global.api.konghq.com/v2/audit-log-webhook \
--header "Authorization: Bearer TOKEN"
You will receive a 200
response code and the following data. Note that the authorization
property is not included in any responses:
{
"endpoint":"https://example.com/audit-logs",
"log_format":"cef",
"enabled":true,
"skip_ssl_verification":false,
"updated_at":"2023-04-01T00:00:01Z"
}
View your audit log webhook status by running the following command:
curl https://global.api.konghq.com/v2/audit-log-webhook/status \
--header "Authorization: Bearer TOKEN"
You will receive a 200
response code and a response body with information about the webhook status:
{
"last_attempt_at": "2023-04-04T18:11:16Z",
"last_response_code": 200,
"webhook_enabled": true,
"webhook_status": "active"
}
The attributes are defined as follows:
attribute |
definition |
last_attempt at |
The last time Konnect tried to send data to your webhook |
last_response_code |
The last response code from your webhook |
webhook_enabled |
The desired status of the webhook (from audit-log-webhook.enabled ) |
webhook_status |
The actual status Konnect of the webhook |
A combination of webhook_enabled
and webhook_status
give a full picture of webhook status.
webhook_enabled |
webhook_status |
definition |
true |
active |
Konnect is ready to ship data to the webhook. Either no attempts have been made yet (last_attempt_at is not set), or the last attempt was successful. |
true |
inactive |
Last attempt to send data failed, but customer wants data to resume. |
false |
active |
Webhook config is saved. Konnect is not shipping data to it per webhook configuration. |
false |
inactive |
Last attempt to send data failed, and customer has turned off the webhook. |
false |
unconfigured |
The webhook for this region has not been configured yet. |