Manage Auditing

Inrupt provides overlays for enabling and disabling Auditing.

Change Auditing Destination

The ESS Auditing service can log to:

• sysout (default)

• Syslog

• Microsoft Sentinel.

By default, the Auditing sends audit events to sysout. To change destination, you can use the following steps:

Microsoft SentinelSyslog

1. Go to your ESS installation directory:

   cd ${HOME}/ess
   

2. Create a directory with your Sentinel kustomization and configuration.

   1. Create a new directory audit-use-sentinel/ under your installation directory and switch to the new directory:

      mkdir audit-use-sentinel/ && cd audit-use-sentinel/
      

   2. Create a kustomization.yaml with the following content:

      ---
      apiVersion: kustomize.config.k8s.io/v1alpha1
      kind: Component
      
      secretGenerator:
        - name: audit-credentials
          behavior: create
          envs:
            - sentinel-credentials.env
      
      images:
        - name: docker.software.inrupt.com/inrupt-audit-logger
          newName: docker.software.inrupt.com/inrupt-audit-sentinel
      

   3. Create a sentinel-credentials.env to configure for integrating with Sentinel and update with your Sentinel values. See Auditing Service: Sentinel Configuration for more information on the configuration options.

      # Update with your SENTINEL values
      QUARKUS_REST_CLIENT_SENTINEL_API_URL=
      INRUPT_AUDIT_SENTINEL_API_VERSION=
      INRUPT_AUDIT_SENTINEL_SHARED_KEY=
      INRUPT_AUDIT_SENTINEL_WORKSPACE_ID=
      

3. Go back to your ESS installation directory:

   cd ${HOME}/ess
   

4. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

   Specifically, in the kustomization.yaml file, add the highlighted content to the component section:

   # kustomization.yaml in your ESS installation directory
   
   # ...  Preceding content omitted for brevity 
   # ...
   
   components:
     // ... Preceding contents of components omitted for brevity
     - audit-use-sentinel/
   

5. Continue with the rest of the Applying Your Customizations procedure.

Tip

By default, the Auditing service outputs to sysout. If you have changed the destination from the default sysout and would like to return to sysout, remove (or revert) the above changes for integrating the service with Syslog or Sentinel.

Disable Auditing

By default, the Auditing is enabled. To disable auditing, you can use the following steps:

Note

Disabling auditing stops the ESS services from publishing audit events; it does not stop the Auditing service. Auditing service continues to run even when auditing is disabled.

1. Go to your ESS installation directory:

   cd ${HOME}/ess
   

2. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

   Specifically, in the kustomization.yaml file, add the highlighted content to the component section:

   # kustomization.yaml in your ESS installation directory
   
   # ...  Preceding content omitted for brevity 
   # ...
   
   components:
     // ... Preceding contents of components omitted for brevity
     - ../release/ess/deployment/kubernetes/components/audit/audit-off/
   

3. Continue with the rest of the Applying Your Customizations procedure.

Tip

To re-enable the Auditing service, remove (or revert) the above changes to disable the Auditing service.