Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
|
search
Kong Konnect
github-edit-pageEdit this page
report-issueReport an issue

Set up an audit log webhook

You can use the Konnect UI or the Audit Logs API to configure webhooks for audit logging.

Webhooks are invoked via an HTTPS request using the following retry rules:

  • Minimum retry wait time: 1 second
  • Maximum retry wait time: 30 seconds
  • Maximum number of retries: 4

A retry is performed on connection error, server error (500 HTTP status code), or too many requests (429 HTTP status code).

Notes: Only supports HTTPS Webhook endpoints.

Prerequisites

You must have Org Admin permissions to set up audit log webhooks.

Before you can push Konnect audit logs to an external service, you also need to configure the service to receive logs. This configuration is specific to your vendor.

You can configure a webhook into any application that supports the ArcSight CEF Format or raw JSON.

  1. Check your SIEM documentation to find out where to send CEF or raw JSON data.

  2. In your log collection service, configure a data collection endpoint to push logs to.

  3. Take note of the authorization credentials that you need to access this endpoint. Konnect supports any HTTP authorization header type.

  4. Configure your firewall settings to allow traffic through the port that you’re going to use. See the Konnect ports and network requirements.

Create a webhook

  1. From the navigation menu, open organizations icon Organization, then Audit Logs Setup.
  2. Fill in the fields in the Setup tab.
    • Region endpoint: The external endpoint that will receive audit log messages.

    • Authorization Header: The authorization type and credential to pass to your log collection endpoint. Konnect will send this string in the Authorization header of requests to that endpoint.

      For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235".

    • Log Format: The output format of each log message. Can be CEF or JSON.
  3. Switch the toggle to Enabled, then save your webhook configuration.

Now that you have an external endpoint and authorization credentials, you can set up a webhook in Konnect.

Create a webhook by sending a request to the /audit-log-webhook endpoint with the connection details for your SIEM vendor:

curl -i -X PATCH https://global.api.konghq.com/v2/audit-log-webhook \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer TOKEN" \
    --data '{"endpoint":"https://example.com/audit-logs","enabled":true,"authorization":"Bearer example-token","log_format":"cef"}'

Replace the following placeholders with your own data:

  • global.api.konghq.com: The region your org is in. Can be global to target all regions, us, or eu.
  • TOKEN: A Konnect personal access token or system account token.

  • "endpoint":"https://example.com/audit-logs": The external endpoint that will receive audit log messages.

    Check your SIEM documentation to find out where to send CEF data.

  • "authorization":"Bearer example-token": The authorization type and credential to pass to your log collection endpoint. Konnect will send this string in the Authorization header of requests to that endpoint.

    For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235".

  • log_format: The output format of each log message. Can be cef or json.

If the request is successful, you will receive a 200 response code, and a response body containing the webhook’s configuration details:

{
    "endpoint":"https://example.com/audit-logs",
    "log_format":"cef",
    "enabled":true,
    "updated_at":"2023-04-01T00:00:01Z"
}

Your webhook should now start receiving audit logs.

View webhook configuration and status

You can view the status of your webhook through the Audit Logs Setup page under organizations icon Organization.

Notice the status badge next to title of the webhook. For example, the following webhook is active:

Audit log webhook

To find the last attempt timestamp and the last response code, use the audit log API.

View your audit log webhook configuration by running the following command:

curl https://global.api.konghq.com/v2/audit-log-webhook \
    --header "Authorization: Bearer TOKEN"

You will receive a 200 response code and the following data. Note that the authorization property is not included in any responses:

{
    "endpoint":"https://example.com/audit-logs",
    "log_format":"cef",
    "enabled":true,
    "updated_at":"2023-04-01T00:00:01Z"
}

View your audit log webhook status by running the following command:

curl https://global.api.konghq.com/v2/audit-log-webhook/status \
    --header "Authorization: Bearer TOKEN"

You will receive a 200 response code and a response body with information about the webhook status:

{
    "last_attempt_at": "2023-04-04T18:11:16Z",
    "last_response_code": 200,
    "webhook_enabled": true,
    "webhook_status": "active"
}

The attributes are defined as follows:

attribute definition
last_attempt at The last time Konnect tried to send data to your webhook
last_response_code The last response code from your webhook
webhook_enabled The desired status of the webhook (from audit-log-webhook.enabled)
webhook_status The actual status Konnect of the webhook

A combination of webhook_enabled and webhook_status give a full picture of webhook status.

webhook_enabled webhook_status definition
true active Konnect is ready to ship data to the webhook. Either no attempts have been made yet (last_attempt_at is not set), or the last attempt was successful.
true inactive Last attempt to send data failed, but customer wants data to resume.
false active Webhook config is saved. Konnect is not shipping data to it per webhook configuration.
false inactive Last attempt to send data failed, and customer has turned off the webhook.
false unconfigured The webhook for this region has not been configured yet.

More information