Skip to main content
A newer release of this product is available.

Security audit destinations endpoint overview

Contributors

Overview

This API controls the forwarding of audit log information to remote syslog/splunk servers. Multiple destinations can be configured and all audit records are forwarded to all destinations.

A GET operation retrieves information about remote syslog/splunk server destinations. A POST operation creates a remote syslog/splunk server destination. A GET operation on /security/audit/destinations/{address}/{port} retrieves information about the syslog/splunk server destination given its address and port number. A PATCH operation on /security/audit/destinations/{address}/{port} updates information about the syslog/splunk server destination given its address and port number. A DELETE operation on /security/audit/destinations/{address}/{port} deletes a syslog/splunk server destination given its address and port number.

Overview of fields used for creating a remote syslog/splunk destination

The fields used for creating a remote syslog/splunk destination fall into the following categories

Required properties

All of the following fields are required for creating a remote syslog/splunk destination

  • address

Optional properties

All of the following fields are optional for creating a remote syslog/splunk destination

  • port

  • protocol

  • facility

  • verify_server +


Examples

Retrieving remote syslog/splunk server destinations

The following example shows remote syslog/splunk server destinations


# The API:
/api/security/audit/destinations

# The call:
curl -X GET "https://<cluster-ip>/api/security/audit/destinations"

# The response:
{
"records": [
  {
    "address": "1.1.1.1",
    "port": 514,
    "_links": {
      "self": {
        "href": "/api/security/audit/destinations/1.1.1.1/514"
      }
  }
}
 ],
 "num_records": 1,
 "_links": {
   "self": {
     "href": "/api/security/audit/destinations"
   }
 }
}

Creating remote syslog/splunk server destinations

The following example creates remote syslog/splunk server destinations.


# The API:
/api/security/audit/destinations

# The call:
curl -X POST "https://<cluster-ip>/api/security/audit/destinations?force=true -d '{ "address": "<destination-address>", "port": <destination-port>, "protocol": "udp_unencrypted", "facility": "kern"}'"

Retrieving a remote syslog/splunk server destination given its destination address and port number

The following example retrieves a remote syslog/splunk server destination given its destination address and port number.


# The API:
/api/security/audit/destinations/{address}/{port}

# The call:
curl -X GET "https://<cluster-ip>/api/security/audit/destinations/<destination-address>/<destination-port>"

# The response:
{
"address": "1.1.1.1",
"port": 514,
"protocol": "udp_unencrypted",
"facility": "kern",
"verify_server": false,
"_links": {
  "self": {
    "href": "/api/security/audit/destinations/1.1.1.1/514"
  }
}
}

Updating a remote syslog/splunk server destination given its destination address and port number

The following example updates a remote syslog/splunk server destination configuration given its destination address and port number.


# The API:
/api/security/audit/destinations/{address}/{port}

# The call:
curl -X PATCH "https://<cluster-ip>/api/security/audit/destinations/<destination-address>/<destination-port> -d '{"facility":  "kern"}'"

Deleting a remote syslog/splunk server destination given its destination address and port number

The following example deletes a remote syslog/splunk server destination configuration given its destination address and port number.


# The API:
/api/security/audit/destinations/{address}/{port}

# The call:
curl -X DELETE "https://<cluster-ip>/api/security/audit/destinations/<destination-address>/<destination-port>"