Security audit destinations endpoint overview
- PDF of this doc site
Collection of separate PDF docs
Creating your file...
Overview
This API controls the forwarding of audit log information to remote syslog/splunk servers. Multiple destinations can be configured and all audit records are forwarded to all destinations.
A GET operation retrieves information about remote syslog/splunk server destinations. A POST operation creates a remote syslog/splunk server destination. A GET operation on /security/audit/destinations/{address}/{port} retrieves information about the syslog/splunk server destination given its address and port number. A PATCH operation on /security/audit/destinations/{address}/{port} updates information about the syslog/splunk server destination given its address and port number. A DELETE operation on /security/audit/destinations/{address}/{port} deletes a syslog/splunk server destination given its address and port number.
Overview of fields used for creating a remote syslog/splunk destination
The fields used for creating a remote syslog/splunk destination fall into the following categories
Required properties
All of the following fields are required for creating a remote syslog/splunk destination
-
address
Optional properties
All of the following fields are optional for creating a remote syslog/splunk destination
-
port
-
protocol
-
facility
-
verify_server
+
Examples
Retrieving remote syslog/splunk server destinations
The following example shows remote syslog/splunk server destinations
# The API: /api/security/audit/destinations # The call: curl -X GET "https://<cluster-ip>/api/security/audit/destinations" # The response: { "records": [ { "address": "1.1.1.1", "port": 514, "_links": { "self": { "href": "/api/security/audit/destinations/1.1.1.1/514" } } } ], "num_records": 1, "_links": { "self": { "href": "/api/security/audit/destinations" } } }
Creating remote syslog/splunk server destinations
The following example creates remote syslog/splunk server destinations.
# The API: /api/security/audit/destinations # The call: curl -X POST "https://<cluster-ip>/api/security/audit/destinations?force=true" -d '{ "address": "1.1.1.1", "port": 514, "protocol": "udp_unencrypted", "facility": "kern"}'
Retrieving a remote syslog/splunk server destination given its destination address and port number
The following example retrieves a remote syslog/splunk server destination given its destination address and port number.
# The API: /api/security/audit/destinations/{address}/{port} # The call: curl -X GET "https://<cluster-ip>/api/security/audit/destinations/1.1.1.1/514" # The response: { "address": "1.1.1.1", "port": 514, "protocol": "udp_unencrypted", "facility": "kern", "verify_server": false, "_links": { "self": { "href": "/api/security/audit/destinations/1.1.1.1/514" } } }
Updating a remote syslog/splunk server destination given its destination address and port number
The following example updates a remote syslog/splunk server destination configuration given its destination address and port number.
# The API: /api/security/audit/destinations/{address}/{port} # The call: curl -X PATCH "https://<cluster-ip>/api/security/audit/destinations/1.1.1.1/514" -d '{"facility": "user"}'
Deleting a remote syslog/splunk server destination given its destination address and port number
The following example deletes a remote syslog/splunk server destination configuration given its destination address and port number.
# The API: /api/security/audit/destinations/{address}/{port} # The call: curl -X DELETE "https://<cluster-ip>/api/security/audit/destinations/1.1.1.1/514"