Security audit destinations endpoint overview
Suggest changes
PDFs
Overview
This API controls the forwarding of audit log information to remote syslog/splunk servers. Multiple destinations can be configured and all audit records are forwarded to all destinations.
A GET operation retrieves information about remote syslog/splunk server destinations. A POST operation creates a remote syslog/splunk server destination. A GET operation on /security/audit/destinations/{address}/{port} retrieves information about the syslog/splunk server destination given its address and port number. A PATCH operation on /security/audit/destinations/{address}/{port} updates information about the syslog/splunk server destination given its address and port number. A DELETE operation on /security/audit/destinations/{address}/{port} deletes a syslog/splunk server destination given its address and port number.
Overview of fields used for creating a remote syslog/splunk destination
The fields used for creating a remote syslog/splunk destination fall into the following categories
Required properties
All of the following fields are required for creating a remote syslog/splunk destination
-
address
Optional properties
All of the following fields are optional for creating a remote syslog/splunk destination
-
port -
ipspace -
protocol -
facility -
verify_server -
message_format(Can be either "legacy_netapp" or "rfc_5424") -
timestamp_format_override(Can be either "no_override", "rfc_3164", "iso_8601_utc" or "iso_8601_local_time") -
hostname_format_override(Can be either "no_override", "fqdn" or "hostname_only") +
Examples
Retrieving remote syslog/splunk server destinations
The following example shows remote syslog/splunk server destinations
# The API:
/api/security/audit/destinations
# The call:
curl -X GET "https://<cluster-ip>/api/security/audit/destinations"
# The response:
{
"records": [
{
"address": "1.1.1.1",
"port": 514,
"_links": {
"self": {
"href": "/api/security/audit/destinations/1.1.1.1/514"
}
}
}
],
"num_records": 1,
"_links": {
"self": {
"href": "/api/security/audit/destinations"
}
}
}
Creating remote syslog/splunk server destinations
The following example creates remote syslog/splunk server destinations.
# The API:
/api/security/audit/destinations
# The call:
curl -X POST "https://<cluster-ip>/api/security/audit/destinations?force=true" -d '{ "address": "1.1.1.1", "port": 514, "protocol": "udp_unencrypted", "facility": "kern"}'
Retrieving a remote syslog/splunk server destination given its destination address and port number
The following example retrieves a remote syslog/splunk server destination given its destination address and port number.
# The API:
/api/security/audit/destinations/{address}/{port}
# The call:
curl -X GET "https://<cluster-ip>/api/security/audit/destinations/1.1.1.1/514"
# The response:
{
"address": "1.1.1.1",
"port": 514,
"ipspace": {
"name": "Default",
"uuid": "a97a3549-f7ae-11ec-b6bc-005056a7c8ff"
},
"protocol": "udp_unencrypted",
"facility": "kern",
"verify_server": false,
"message_format": "legacy_netapp",
"timestamp_format_override": "no_override",
"hostname_format_override": "no_override",
"_links": {
"self": {
"href": "/api/security/audit/destinations/1.1.1.1/514"
}
}
}
Updating a remote syslog/splunk server destination given its destination address and port number
The following example updates a remote syslog/splunk server destination configuration given its destination address and port number.
# The API:
/api/security/audit/destinations/{address}/{port}
# The call:
curl -X PATCH "https://<cluster-ip>/api/security/audit/destinations/1.1.1.1/514" -d '{"facility": "user"}'
Deleting a remote syslog/splunk server destination given its destination address and port number
The following example deletes a remote syslog/splunk server destination configuration given its destination address and port number.
# The API:
/api/security/audit/destinations/{address}/{port}
# The call:
curl -X DELETE "https://<cluster-ip>/api/security/audit/destinations/1.1.1.1/514"