Manage Auditing#

Inrupt provides overlays for enabling and disabling Auditing.

Change Auditing Destination#

The ESS Auditing service can log to:

sysout (default)
Syslog
Microsoft Sentinel.

By default, the Auditing sends audit events to sysout. To change destination, you can use the following steps:

Go to your ESS installation directory:
```
cd ${HOME}/ess
```

Create a directory with your Sentinel kustomization and configuration.

Create a new directory audit-use-sentinel/ under your installation directory and switch to the new directory:
```
mkdir audit-use-sentinel/ && cd audit-use-sentinel/
```

Create a kustomization.yaml with the following content:

---
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

secretGenerator:
  - name: audit-credentials
    behavior: create
    envs:
      - sentinel-credentials.env

images:
  - name: docker.software.inrupt.com/inrupt-audit-logger
    newName: docker.software.inrupt.com/inrupt-audit-sentinel

Create a sentinel-credentials.env to configure for integrating with Sentinel and update with your Sentinel values. See Auditing Service: Sentinel Configuration for more information on the configuration options.
```
# Update with your SENTINEL values
QUARKUS_REST_CLIENT_SENTINEL_API_URL=
INRUPT_AUDIT_SENTINEL_API_VERSION=
INRUPT_AUDIT_SENTINEL_SHARED_KEY=
INRUPT_AUDIT_SENTINEL_WORKSPACE_ID=
```

Go back to your ESS installation directory:
```
cd ${HOME}/ess
```

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

Specifically, in the kustomization.yaml file, add the highlighted content to the component section:

# kustomization.yaml in your ESS installation directory

# ...  Preceding content omitted for brevity 
# ...

components:
  // ... Preceding contents of components omitted for brevity
  - audit-use-sentinel/

Continue with the rest of the Applying Your Customizations procedure.

Go to your ESS installation directory:
```
cd ${HOME}/ess
```
Create a directory with your Syslog kustomization and configuration.
1. Create a new directory audit-use-syslog/ under your installation directory and switch to the new directory:
```
mkdir audit-use-syslog/ && cd audit-use-syslog/
```
2. Create a kustomization.yaml with the following content:
```
---
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

images:
  - name: docker.software.inrupt.com/inrupt-audit-logger
    newName: docker.software.inrupt.com/inrupt-audit-syslog
```
  See also Auditing Service: Syslog Configuration for more information on the Syslog configuration options.
Go back to your ESS installation directory:
```
cd ${HOME}/ess
```

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

Specifically, in the kustomization.yaml file, add the highlighted content to the component section:

# kustomization.yaml in your ESS installation directory

# ...  Preceding content omitted for brevity 
# ...

components:
  // ... Preceding contents of components omitted for brevity
  - audit-use-syslog/

Continue with the rest of the Applying Your Customizations procedure.

Tip

By default, the Auditing service outputs to sysout. If you have changed the destination from the default sysout and would like to return to sysout, remove (or revert) the above changes for integrating the service with Syslog or Sentinel.

Disable Auditing#

By default, the Auditing is enabled. To disable auditing, you can use the following steps:

Note

Disabling auditing stops the ESS services from publishing audit events; it does not stop the Auditing service. Auditing service continues to run even when auditing is disabled.

Go to your ESS installation directory:
```
cd ${HOME}/ess
```

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

Specifically, in the kustomization.yaml file, add the highlighted content to the component section:

# kustomization.yaml in your ESS installation directory

# ...  Preceding content omitted for brevity 
# ...

components:
  // ... Preceding contents of components omitted for brevity
  - ../release/ess/deployment/kubernetes/components/audit/audit-off/

Continue with the rest of the Applying Your Customizations procedure.

Tip

To re-enable the Auditing service, remove (or revert) the above changes to disable the Auditing service.

Enable Resource Read Auditing#

Starting in 2.1, ESS supports auditing of successful read resource operations (i.e., GET and HEAD operations on resources).

This feature is disabled by default. To enable, set INRUPT_STORAGE_AUDIT_RESOURCE_READ_ENABLED to true.

Important

When auditing of read operations is enabled, the total number of Audit events may increase substantially. Before enabling read operations auditing, consider allocating more compute and network resources to ESS.

Go to your ESS installation directory:
```
cd ${HOME}/ess
```

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

Specifically, in the kustomization.yaml file, add the highlighted content to the patches section:

Tip

If patches key does not exist in kustomization.yaml, add the key patches as well.

# kustomization.yaml in your ESS installation directory

# ...  Preceding content omitted for brevity 
# ...


patches:
  - target:
      kind: Deployment
      name: ess-pod-storage
      namespace: ess
    patch: |
      - op: add
        path: /spec/template/spec/containers/0/env/-
        value:
          name: INRUPT_STORAGE_AUDIT_RESOURCE_READ_ENABLED
          value: "true"

Continue with the rest of the Applying Your Customizations procedure.