# Manage Auditing

Inrupt provides overlays for enabling and disabling [Auditing](https://github.com/inrupt/docs-gitbook/blob/main/ess/security/auditing/README.md).

## Change Auditing Destination

The ESS [Auditing service](/ess/2.3/services/service-auditing.md) can log to:

* **`sysout`** (default)
* Syslog
* [Microsoft Sentinel](https://azure.microsoft.com/en-us/services/microsoft-sentinel/#overview).

By default, the [Auditing](https://github.com/inrupt/docs-gitbook/blob/main/ess/security/auditing/README.md) sends audit events to **`sysout`**. To change destination, you can use the following steps:

{% tabs %}
{% tab title="Microsoft Sentinel" %}

1. Go to your ESS installation directory:

```sh
cd ${HOME}/ess
```

2\. Create a directory with your Syslog kustomization and configuration.\
a. Create a new directory **`audit-use-syslog/`** under your installation directory and switch to the new directory:

```sh
mkdir audit-use-syslog/ && cd audit-use-syslog/
```

b. Create a **`kustomization.yaml`** with the following content:

```yaml
---
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

images:
  - name: docker.software.inrupt.com/inrupt-audit-logger
    newName: docker.software.inrupt.com/inrupt-audit-syslog
```

c. Create a **`sentinel-credentials.env`** to configure for integrating with Sentinel and update with your Sentinel values. See [Auditing Service: Sentinel Configuration](/ess/2.3/services/service-auditing.md#auditing-service-sentinel-configuration) for more information on the configuration options.

```yaml
# Update with your SENTINEL values
**`QUARKUS_REST_CLIENT_SENTINEL_API_URL`**=
**`INRUPT_AUDIT_SENTINEL_API_VERSION`**=
**`INRUPT_AUDIT_SENTINEL_SHARED_KEY`**=
**`INRUPT_AUDIT_SENTINEL_WORKSPACE_ID`**=
```

3. Go back to your ESS installation directory:

   ```sh
   cd ${HOME}/ess
   ```
4. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.3/installation.md#applying-your-customizations) procedure). Specifically, in the **`kustomization.yaml`** file, add the highlighted content to the **`component`** section:

   <pre class="language-yaml"><code class="lang-yaml"># kustomization.yaml in your ESS installation directory

   # ...  Preceding content omitted for brevity 
   # ...

   components:
     // ... Preceding contents of components omitted for brevity
   <strong>  - audit-use-sentinel/
   </strong></code></pre>
5. Continue with the rest of the [Applying Your Customizations](/ess/2.3/installation.md#applying-your-customizations) procedure.
   {% endtab %}

{% tab title="Syslog" %}

1. Go to your ESS installation directory:

```sh
cd ${HOME}/ess
```

2\. Create a directory with your Sentinel kustomization and configuration.\
a. Create a new directory **`audit-use-sentinel/`** under your installation directory and switch to the new directory:

```sh
mkdir audit-use-sentinel/ && cd audit-use-sentinel/
```

b. Create a **`kustomization.yaml`** with the following content:

```yaml
---
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
secretGenerator:
  - name: audit-credentials
    behavior: create
    envs:
      - **`sentinel-credentials.env`**
images:
  - name: docker.software.inrupt.com/inrupt-audit-logger
    newName: docker.software.inrupt.com/inrupt-audit-sentinel
```

See also [Auditing Service: Syslog Configuration](/ess/2.3/services/service-auditing.md#auditing-service-syslog-configuration) for more information on the Syslog configuration options.

3. Go back to your ESS installation directory:

   ```sh
   cd ${HOME}/ess
   ```
4. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.3/installation/customize-configurations.md#applying-your-customizations) procedure). Specifically, in the **`kustomization.yaml`** file, add the highlighted content to the **`component`** section:

   <pre class="language-yaml"><code class="lang-yaml"># kustomization.yaml in your ESS installation directory

   # ...  Preceding content omitted for brevity 
   # ...

   components:
     // ... Preceding contents of components omitted for brevity
   <strong>  - audit-use-syslog/
   </strong></code></pre>
5. Continue with the rest of the [Applying Your Customizations](/ess/2.3/installation/customize-configurations.md#applying-your-customizations) procedure.
   {% endtab %}
   {% endtabs %}

{% hint style="info" %}
**Tip**\
By default, the Auditing service outputs to **`sysout`** . If you have changed the destination from the default **`sysout`** and would like to return to **`sysout`**, remove (or revert) the above changes for integrating the service with Syslog or Sentinel.
{% endhint %}

### Disable Auditing

By default, the [Auditing](https://github.com/inrupt/docs-gitbook/blob/main/ess/security/auditing/README.md) is enabled. To disable auditing, you can use the following steps:

{% hint style="info" %}
**Note**\
Disabling auditing stops the ESS services from publishing audit events; it does not stop the [Auditing service](/ess/2.3/services/service-auditing.md) . [Auditing service](/ess/2.3/services/service-auditing.md) continues to run even when auditing is disabled.
{% endhint %}

1. Go to your ESS installation directory:

   ```sh
   cd ${HOME}/ess
   ```
2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.3/installation/customize-configurations.md#applying-your-customizations) procedure).\
   Specifically, in the **`kustomization.yaml`** file, add the highlighted content to the **`component`** section:

   <pre class="language-yaml"><code class="lang-yaml">
    # kustomization.yaml in your ESS installation directory
    # ...  Preceding content omitted for brevity 
    # ...
    components:
      // ... Preceding contents of components omitted for brevity
   <strong>   - ../release/ess/deployment/kubernetes/components/audit/audit-off/
   </strong><strong> 
   </strong> 
   </code></pre>
3. Continue with the rest of the [Applying Your Customizations](/ess/2.3/installation/customize-configurations.md#applying-your-customizations) procedure.

{% hint style="info" %}
**Tip**\
To re-enable the Auditing service, remove (or revert) the above changes to disable the Auditing service.
{% endhint %}

## Enable Resource Read Auditing

ESS supports auditing of *successful* [read resource operations](/ess/2.3/services/service-auditing.md#audit-events) (i.e., **`GET`** and **`HEAD`** operations on resources).

This feature is disabled by default. To enable, set [**`INRUPT_STORAGE_AUDIT_RESOURCE_READ_ENABLED`**](/ess/2.3/services/service-pod-management/service-pod-storage.md#inrupt_storage_audit_resource_read_enabled) to **`true`** .

{% hint style="warning" %}
**Important**\
When auditing of read operations is enabled, the total number of Audit events may increase substantially. Before enabling read operations auditing, consider allocating more compute and network resources to ESS.
{% endhint %}

1. Go to your ESS installation directory:

   ```sh
   cd ${HOME}/ess
   ```
2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.3/installation/customize-configurations.md#applying-your-customizations) procedure).\
   Specifically, in the **`kustomization.yaml`** file, add the highlighted content to the **`patches`** section:

   {% hint style="info" %} **Tip**

   If **`patches`** key does not exist in **`kustomization.yaml`** , add the key **`patches`** as well. {% endhint %}

   ```yaml
   # kustomization.yaml in your ESS installation directory
   ```

`... Preceding content omitted for brevity...`

` patches:`` `` `**`- target: kind: Deployment name: ess-pod-storage namespace: ess patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_STORAGE_AUDIT_RESOURCE_READ_ENABLED value: "true"`**

3. Continue with the rest of the [Applying Your Customizations](/ess/2.3/installation/customize-configurations.md#applying-your-customizations) procedure.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-auditing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.