Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
|
Kong Konnect
github-edit-pageEdit this page
report-issueReport an issue

Set up an audit log webhook for a Konnect org

You can use the Konnect UI or the Audit Logs API to configure webhooks for audit logging.

Webhooks are triggered via an HTTPS request using the following retry rules:

  • Minimum retry wait time: 1 second
  • Maximum retry wait time: 30 seconds
  • Maximum number of retries: 4

A retry is performed on a connection error, server error (500 HTTP status code), or too many requests (429 HTTP status code).

Prerequisites

Configure your SIEM provider

Before you can push audit logs to your SIEM provider, configure the service to receive logs. This configuration is specific to your vendor.

  1. In your log collection service, configure an HTTPS data collection endpoint you can send CEF or raw JSON data logs to. Konnect supports any HTTP authorization header type. Save the endpoint URL, this will be used later in Konnect.

  2. Create and save an access key from your SIEM provider.

  3. Configure your network’s firewall settings to allow traffic through the 8071 TCP or UDP port that Konnect uses for audit logging. See the Konnect ports and network requirements.

Create a webhook

  1. From the navigation menu, open organizations icon Organization, then Audit Logs Setup.
  2. On the Konnect tab, configure the following webhook settings for the region you want to enable audit logs for:
    • Region endpoint: The external endpoint that will receive audit log messages.

    • Authorization Header: The authorization type and credential to pass to your log collection endpoint. Konnect will send this string in the Authorization header of requests to that endpoint.

      For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235".

    • Log Format: The output format of each log message. Can be CEF or JSON.
    • Skip SSL Verification: Skip SSL verification of the host endpoint when delivering payloads.

    We strongly recommend not setting this to true as you are subject to man-in-the-middle and other attacks. This option should be considered only when using self-signed SSL certificates in a non-production environment.

  3. Switch the toggle to Enabled, then save your webhook configuration. You can’t customize the events that Konnect sends to the logs.

Now that you have an external endpoint and authorization credentials, you can set up a webhook in Konnect.

Create a webhook by sending a PATCH request to the /audit-log-webhook endpoint with the connection details for your SIEM vendor:

curl -i -X PATCH https://{region}.api.konghq.com/v2/audit-log-webhook \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer <personal-access-token>" \
    --data '{
        "endpoint": "https://example.com/audit-logs",
        "enabled": true,
        "authorization": "Bearer example-token",
        "log_format": "cef"
    }'

Be sure to replace the following placeholder values:

  • {region}.api.konghq.com: The region your org is in. Can be global to target all regions, us, au, or eu.
  • <personal-access-token>: Your Konnect personal access token (PAT).
  • endpoint: The external endpoint that will receive audit log messages. Check your SIEM documentation to find out where to send CEF or JSON data.
  • authorization: The authorization type and credential to pass to your log collection endpoint. Konnect will send this string in the Authorization header of requests to that endpoint. For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235".
  • log_format: The output format of each log message. Can be cef or json.
  • skip_ssl_verification: (Optional) Set to true to skip SSL verification of the host endpoint when delivering payloads. We recommend only using this when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks.

You can’t customize the events that Konnect sends to the logs.

If the request is successful, you will receive a 200 response code, and a response body containing the webhook’s configuration details.

Your webhook should now start receiving audit logs.

View audit log webhook status

You can view the status of your webhook through the Audit Logs Setup page under organizations icon Organization. A badge will display next to the title of the webhook with the status of the webhook.

To see the last attempt timestamp and the last response code, use the audit log API.

View your audit log webhook configuration by sending a GET request to the /audit-log-webhook endpoint:

curl -i -X GET https://{region}.api.konghq.com/v2/audit-log-webhook \
    --header "Authorization: Bearer <personal-access-token>"

Be sure to replace the following placeholder values:

  • {region}.api.konghq.com: The region your org is in. Can be global to target all regions, us, au, or eu.
  • <personal-access-token>: Your Konnect personal access token (PAT).

You will receive a 200 response code and the following data. Note that the authorization property is not included in any responses.

View your audit log webhook status by sending a GET request to the /audit-log-webhook/status endpoint:

curl -i -X GET https://{region}.api.konghq.com/v2/audit-log-webhook/status \
    --header "Authorization: Bearer <personal-access-token>"

Be sure to replace the following placeholder values:

  • {region}.api.konghq.com: The region your org is in. Can be global to target all regions, us, au, or eu.
  • <personal-access-token>: Your Konnect personal access token (PAT).

You will receive a 200 response code and a response body with information about the webhook status.

More information