Security audit destinations endpoint overview
Suggest changes
PDFs
Overview
This API controls the forwarding of audit log information to remote syslog/splunk servers. Multiple destinations can be configured and all audit records are forwarded to all destinations.
A GET operation retrieves information about remote syslog/splunk server destinations. A POST operation creates a remote syslog/splunk server destination. A GET operation on /security/audit/destinations/{address}/{port} retrieves information about the syslog/splunk server destination given its address and port number. A PATCH operation on /security/audit/destinations/{address}/{port} updates information about the syslog/splunk server destination given its address and port number. A DELETE operation on /security/audit/destinations/{address}/{port} deletes a syslog/splunk server destination given its address and port number.
Overview of fields used for creating a remote syslog/splunk destination
The fields used for creating a remote syslog/splunk destination fall into the following categories
Required properties
All of the following fields are required for creating a remote syslog/splunk destination
-
address
Optional properties
All of the following fields are optional for creating a remote syslog/splunk destination
-
port -
protocol -
facility -
verify_server+
Examples
Retrieving remote syslog/splunk server destinations
The following example shows remote syslog/splunk server destinations
# The API:
/api/security/audit/destinations
# The call:
curl -X GET "https://<cluster-ip>/api/security/audit/destinations"
# The response:
{
"records": [
{
"address": "1.1.1.1",
"port": 514,
"_links": {
"self": {
"href": "/api/security/audit/destinations/1.1.1.1/514"
}
}
}
],
"num_records": 1,
"_links": {
"self": {
"href": "/api/security/audit/destinations"
}
}
}
Creating remote syslog/splunk server destinations
The following example creates remote syslog/splunk server destinations.
# The API:
/api/security/audit/destinations
# The call:
curl -X POST "https://<cluster-ip>/api/security/audit/destinations?force=true -d '{ "address": "<destination-address>", "port": <destination-port>, "protocol": "udp_unencrypted", "facility": "kern"}'"
Retrieving a remote syslog/splunk server destination given its destination address and port number
The following example retrieves a remote syslog/splunk server destination given its destination address and port number.
# The API:
/api/security/audit/destinations/{address}/{port}
# The call:
curl -X GET "https://<cluster-ip>/api/security/audit/destinations/<destination-address>/<destination-port>"
# The response:
{
"address": "1.1.1.1",
"port": 514,
"protocol": "udp_unencrypted",
"facility": "kern",
"verify_server": false,
"_links": {
"self": {
"href": "/api/security/audit/destinations/1.1.1.1/514"
}
}
}
Updating a remote syslog/splunk server destination given its destination address and port number
The following example updates a remote syslog/splunk server destination configuration given its destination address and port number.
# The API:
/api/security/audit/destinations/{address}/{port}
# The call:
curl -X PATCH "https://<cluster-ip>/api/security/audit/destinations/<destination-address>/<destination-port> -d '{"facility": "kern"}'"
Deleting a remote syslog/splunk server destination given its destination address and port number
The following example deletes a remote syslog/splunk server destination configuration given its destination address and port number.
# The API:
/api/security/audit/destinations/{address}/{port}
# The call:
curl -X DELETE "https://<cluster-ip>/api/security/audit/destinations/<destination-address>/<destination-port>"