Collect Konnect audit logs with SumoLogic
Create an HTTPS data collection endpoint and access key in SumoLogic and save their values. Configure the audit log webhook endpoint (/v2/audit-log-webhook
) in Konnect with the SumoLogic endpoint (endpoint
), the access key (authorization
), and set log_format: cef
and enabled: true
.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'
Copied to clipboard! -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output
Copied to clipboard!This sets up a Konnect Control Plane named
quickstart
, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'
Copied to clipboard!Copy and paste these into your terminal to configure your session.
Set up the audit log webhook
Now that you have an external endpoint and authorization credentials, you can set up a webhook in Konnect.
Create a webhook by sending a PATCH
request to the /audit-log-webhook
endpoint with the connection details for your SIEM vendor:
curl -X PATCH "$KONNECT_CONTROL_PLANE_URL/v2/audit-log-webhook" \
-H "Accept: application/json"\
-H "Content-Type: application/json"\
-H "Authorization: Bearer $DECK_KONNECT_TOKEN" \
--json '{
"endpoint": "'$SIEM_ENDPOINT'",
"enabled": true,
"authorization": "Bearer '$SIEM_TOKEN'",
"log_format": "cef"
}'
Webhooks are triggered via an HTTPS request using the following retry rules:
- Minimum retry wait time: 1 second
- Maximum retry wait time: 30 seconds
- Maximum number of retries: 4
A retry is performed on a connection error, server error (500
HTTP status code), or too many requests (429
HTTP status code).
Validate
To validate that the webhook is configured correctly, send an API request using the Konnect API:
curl -X GET "$KONNECT_CONTROL_PLANE_URL/v2/control-planes" \
-H "Accept: application/json"\
-H "Content-Type: application/json"\
-H "Authorization: Bearer $DECK_KONNECT_TOKEN"
This should trigger a log in SumoLogic. Sometimes it can take a minute to populate the logs.
In the SumoLogic UI, navigate to the log search and search for _source=Konnect
.
You should see logs like the following:
2025-06-18T21:02:36Z konghq.com CEF:0|KongInc|Konnect|1.0|konnect|Authz.control-planes|1|rt=1750280466889 src=127.0.0.6 action=list granted=true org_id=777db3e4-5cb7-4dd5-b51c-9878096a6999 principal_id=eb999f01-5976-4f4b-9fbc-dd5d514bd675 trace_id=3959872677347089807 user_agent=grpc-node-js/1.12.4 sig=KbLaBhQFnggT_8CyC95b777R1_fGvvLVDn7awjZK8eZLdGPrSvnS-sxJw63j930eKr-VTsQv8-TQTD_GVmAPAQ
Copied to clipboard!
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.