# Manage Auditing
Inrupt provides overlays for enabling and disabling [Auditing](https://docs.inrupt.com/security/auditing).
## Change Auditing Destination
The ESS [Auditing service](https://docs.inrupt.com/ess/2.5/services/service-auditing) can log to:
* **`sysout`** (default)
* Syslog
* [Microsoft Sentinel](https://azure.microsoft.com/en-us/services/microsoft-sentinel/#overview).
By default, the [Auditing](https://docs.inrupt.com/security/auditing) sends audit events to **`sysout`**. To change destination, you can use the following steps:
{% tabs %}
{% tab title="Microsoft Sentinel" %}
1. Go to your ESS installation directory:
```sh
cd ${HOME}/ess
```
2\. Create a directory with your Syslog kustomization and configuration.\
a. Create a new directory **`audit-use-syslog/`** under your installation directory and switch to the new directory:
```sh
mkdir audit-use-syslog/ && cd audit-use-syslog/
```
b. Create a **`kustomization.yaml`** with the following content:
```yaml
---
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
images:
- name: docker.software.inrupt.com/inrupt-audit-logger
newName: docker.software.inrupt.com/inrupt-audit-syslog
```
c. Create a **`sentinel-credentials.env`** to configure for integrating with Sentinel and update with your Sentinel values. See [Auditing Service: Sentinel Configuration](https://docs.inrupt.com/ess/services/service-auditing#auditing-service-sentinel-configuration) for more information on the configuration options.
```yaml
# Update with your SENTINEL values
**`QUARKUS_REST_CLIENT_SENTINEL_API_URL`**=
**`INRUPT_AUDIT_SENTINEL_API_VERSION`**=
**`INRUPT_AUDIT_SENTINEL_SHARED_KEY`**=
**`INRUPT_AUDIT_SENTINEL_WORKSPACE_ID`**=
```
3. Go back to your ESS installation directory:
```sh
cd ${HOME}/ess
```
4. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/..#applying-your-customizations) procedure). Specifically, in the **`kustomization.yaml`** file, add the highlighted content to the **`component`** section:
# kustomization.yaml in your ESS installation directory
# ... Preceding content omitted for brevity
# ...
components:
// ... Preceding contents of components omitted for brevity
- audit-use-sentinel/
5. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/..#applying-your-customizations) procedure.
{% endtab %}
{% tab title="Syslog" %}
1. Go to your ESS installation directory:
```sh
cd ${HOME}/ess
```
2\. Create a directory with your Sentinel kustomization and configuration.\
a. Create a new directory **`audit-use-sentinel/`** under your installation directory and switch to the new directory:
```sh
mkdir audit-use-sentinel/ && cd audit-use-sentinel/
```
b. Create a **`kustomization.yaml`** with the following content:
```yaml
---
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
secretGenerator:
- name: audit-credentials
behavior: create
envs:
- **`sentinel-credentials.env`**
images:
- name: docker.software.inrupt.com/inrupt-audit-logger
newName: docker.software.inrupt.com/inrupt-audit-sentinel
```
See also [Auditing Service: Syslog Configuration](https://docs.inrupt.com/ess/services/service-auditing#auditing-service-syslog-configuration) for more information on the Syslog configuration options.
3. Go back to your ESS installation directory:
```sh
cd ${HOME}/ess
```
4. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/..#applying-your-customizations) procedure). Specifically, in the **`kustomization.yaml`** file, add the highlighted content to the **`component`** section:
# kustomization.yaml in your ESS installation directory
# ... Preceding content omitted for brevity
# ...
components:
// ... Preceding contents of components omitted for brevity
- audit-use-syslog/
5. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/..#applying-your-customizations) procedure.
{% endtab %}
{% endtabs %}
{% hint style="info" %}
**Tip**\
By default, the Auditing service outputs to **`sysout`** . If you have changed the destination from the default **`sysout`** and would like to return to **`sysout`**, remove (or revert) the above changes for integrating the service with Syslog or Sentinel.
{% endhint %}
### Disable Auditing
By default, the [Auditing](https://docs.inrupt.com/security/auditing) is enabled. To disable auditing, you can use the following steps:
{% hint style="info" %}
**Note**\
Disabling auditing stops the ESS services from publishing audit events; it does not stop the [Auditing service](https://docs.inrupt.com/ess/2.5/services/service-auditing) . [Auditing service](https://docs.inrupt.com/ess/2.5/services/service-auditing) continues to run even when auditing is disabled.
{% endhint %}
1. Go to your ESS installation directory:
```sh
cd ${HOME}/ess
```
2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/..#applying-your-customizations) procedure).\
Specifically, in the **`kustomization.yaml`** file, add the highlighted content to the **`component`** section:
# kustomization.yaml in your ESS installation directory
# ... Preceding content omitted for brevity
# ...
components:
// ... Preceding contents of components omitted for brevity
- ../release/ess/deployment/kubernetes/components/audit/audit-off/
3. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/..#applying-your-customizations) procedure.
{% hint style="info" %}
**Tip**\
To re-enable the Auditing service, remove (or revert) the above changes to disable the Auditing service.
{% endhint %}
## Enable Resource Read Auditing
ESS supports auditing of *successful* [read resource operations](https://docs.inrupt.com/ess/services/service-auditing#audit-events) (i.e., **`GET`** and **`HEAD`** operations on resources).
This feature is disabled by default. To enable, set [**`INRUPT_STORAGE_AUDIT_RESOURCE_READ_ENABLED`**](https://docs.inrupt.com/ess/services/service-pod-management/service-pod-storage#inrupt_storage_audit_resource_read_enabled) to **`true`** .
{% hint style="warning" %}
**Important**\
When auditing of read operations is enabled, the total number of Audit events may increase substantially. Before enabling read operations auditing, consider allocating more compute and network resources to ESS.
{% endhint %}
1. Go to your ESS installation directory:
```sh
cd ${HOME}/ess
```
2. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/..#applying-your-customizations) procedure).\
Specifically, in the **`kustomization.yaml`** file, add the highlighted content to the **`patches`** section:
{% hint style="info" %}
**Tip**
If the **`patches`** key does not exist in **`kustomization.yaml`** , add the **`patches`** key as well.
{% endhint %}
# kustomization.yaml in your ESS installation directory
# ... Preceding content omitted for brevity
# ...
patches:
- target:
kind: Deployment
name: ess-pod-storage
namespace: ess
patch: |
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: INRUPT_STORAGE_AUDIT_RESOURCE_READ_ENABLED
value: "true"
3. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/..#applying-your-customizations) procedure.