Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Konnect
  • Home icon
  • Kong Konnect
  • Org Management
  • Audit Logging
  • Set up an audit log webhook
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Prerequisites
  • Create a webhook
  • View webhook configuration and status
  • More information

Set up an audit log webhook

You can use the Konnect UI or the Audit Logs API to configure webhooks for audit logging.

Webhooks are invoked via an HTTPS request using the following retry rules:

  • Minimum retry wait time: 1 second
  • Maximum retry wait time: 30 seconds
  • Maximum number of retries: 4

A retry is performed on connection error, server error (500 HTTP status code), or too many requests (429 HTTP status code).

Notes: Only supports HTTPS Webhook endpoints.

Prerequisites

You must have Org Admin permissions to set up audit log webhooks.

Before you can push Konnect audit logs to an external service, you also need to configure the service to receive logs. This configuration is specific to your vendor.

You can configure a webhook into any application that supports the ArcSight CEF Format or raw JSON.

  1. Check your SIEM documentation to find out where to send CEF or raw JSON data.

  2. In your log collection service, configure a data collection endpoint to push logs to.

  3. Take note of the authorization credentials that you need to access this endpoint. Konnect supports any HTTP authorization header type.

  4. Configure your firewall settings to allow traffic through the port that you’re going to use. See the Konnect ports and network requirements.

Create a webhook

Konnect UI
API
  1. From the navigation menu, open organizations icon Organization, then Audit Logs Setup.
  2. Fill in the fields in the Setup tab.
    • Region endpoint: The external endpoint that will receive audit log messages.
    • Authorization Header: The authorization type and credential to pass to your log collection endpoint. Konnect will send this string in the Authorization header of requests to that endpoint.

      For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235".

    • Log Format: The output format of each log message. Can be CEF or JSON.
  3. Switch the toggle to Enabled, then save your webhook configuration.

Now that you have an external endpoint and authorization credentials, you can set up a webhook in Konnect.

Create a webhook by sending a request to the /audit-log-webhook endpoint with the connection details for your SIEM vendor:

curl -i -X PATCH https://global.api.konghq.com/v2/audit-log-webhook \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer TOKEN" \
    --data '{"endpoint":"https://example.com/audit-logs","enabled":true,"authorization":"Bearer example-token","log_format":"cef"}'

Replace the following placeholders with your own data:

  • global.api.konghq.com: The region your org is in. Can be global to target all regions, us, or eu.
  • TOKEN: A Konnect personal access token or system account token.
  • "endpoint":"https://example.com/audit-logs": The external endpoint that will receive audit log messages.

    Check your SIEM documentation to find out where to send CEF data.

  • "authorization":"Bearer example-token": The authorization type and credential to pass to your log collection endpoint. Konnect will send this string in the Authorization header of requests to that endpoint.

    For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235".

  • log_format: The output format of each log message. Can be cef or json.

If the request is successful, you will receive a 200 response code, and a response body containing the webhook’s configuration details:

{
    "endpoint":"https://example.com/audit-logs",
    "log_format":"cef",
    "enabled":true,
    "updated_at":"2023-04-01T00:00:01Z"
}

Your webhook should now start receiving audit logs.

View webhook configuration and status

Konnect UI
API

You can view the status of your webhook through the Audit Logs Setup page under organizations icon Organization.

Notice the status badge next to title of the webhook. For example, the following webhook is active:

Audit log webhook

To find the last attempt timestamp and the last response code, use the audit log API.

View your audit log webhook configuration by running the following command:

curl https://global.api.konghq.com/v2/audit-log-webhook \
    --header "Authorization: Bearer TOKEN"

You will receive a 200 response code and the following data. Note that the authorization property is not included in any responses:

{
    "endpoint":"https://example.com/audit-logs",
    "log_format":"cef",
    "enabled":true,
    "updated_at":"2023-04-01T00:00:01Z"
}

View your audit log webhook status by running the following command:

curl https://global.api.konghq.com/v2/audit-log-webhook/status \
    --header "Authorization: Bearer TOKEN"

You will receive a 200 response code and a response body with information about the webhook status:

{
    "last_attempt_at": "2023-04-04T18:11:16Z",
    "last_response_code": 200,
    "webhook_enabled": true,
    "webhook_status": "active"
}

The attributes are defined as follows:

attribute definition
last_attempt at The last time Konnect tried to send data to your webhook
last_response_code The last response code from your webhook
webhook_enabled The desired status of the webhook (from audit-log-webhook.enabled)
webhook_status The actual status Konnect of the webhook

A combination of webhook_enabled and webhook_status give a full picture of webhook status.

webhook_enabled webhook_status definition
true active Konnect is ready to ship data to the webhook. Either no attempts have been made yet (last_attempt_at is not set), or the last attempt was successful.
true inactive Last attempt to send data failed, but customer wants data to resume.
false active Webhook config is saved. Konnect is not shipping data to it per webhook configuration.
false inactive Last attempt to send data failed, and customer has turned off the webhook.
false unconfigured The webhook for this region has not been configured yet.

More information

  • Audit logging in Konnect
  • Audit log event reference
  • Set up an audit log replay job
  • Verify audit log signatures
  • Audit Logs API
Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023