Verify audit log signatures
Konnect and Dev Portal use an ED25519 signature on the audit logs they produce. You can verify the signature in your audit logs to confirm that it’s from Konnect instead of a bad actor.
Audit logs can be exported in two different formats, CEF and JSON. Calculating the signature is slightly different for these formats.
Verify a signature
-
Retrieve the public key from the audit log JWKS endpoint:
curl -i -X GET https://{region}.api.konghq.com/v2/audit-log-webhook/jwks.json
The response should look like this, where the public key is stored in the
x
attribute:{ "keys": [ { "alg": "EdDSA", "crv": "Ed25519", "kid": "1d4608c22e448672d5386b4071b70442as45c58265", "kty": "OKP", "x": "aFNAu9QEQhiunrGuyS14ePHzoOb2vash783p1-_Nrc3M" } ] }
Save your public key to decode later.
-
Find an audit log from Konnect in your SIEM provider and copy it.
-
Remove the signature (the
sig
value) from the audit log, but be sure to save the signature to decode later.The adjusted entry will look slightly different depending on the format that you’re using. The following Konnect org audit log examples show what the entry will look like in each format after removing the signature:
-
Decode the signature and public key into bytes. Both the signature and the public key are Base64 URL-encoded.
-
Verify the ED25519 signature with the public key, signature-less audit log entry, and decoded signature.
If it’s successful, you will see a
Signature is valid
response.
See also
Dev Portal audit logs:
- Audit logging in Dev Portal
- Set up an portal audit log webhook
- Set up an portal audit log replay job
Konnect audit logs: