Reference: Audit data export configuration example - BlueCat Address Manager - 9.3.0

Address Manager API Guide

prodname
BlueCat Address Manager
version_custom
9.3.0

You can choose to export the audit data to a Splunk server or an HTTP endpoint. If you are configuring to export the audit data to a Splunk server, ensure that you have the Splunk HTTP Event Collector (HEC) host and token information.

Example HTTP endpoint configuration

{
   "enable":true,
   "sinks":[
      {
         "type":"http",
         "uri":"https://10.0.0.1:9002",
         "healthCheck":true,
         "healthCheckUri":"http://10.0.0.1:9002/endpoint/healthcheck",
         "tls":{
            "caCert": "-----BEGIN CERTIFICATE-----\n
                       <certificate_content>\n
                       -----END CERTIFICATE-----", 
            "verifyCertificate":false,
            "verifyHostname":false
         }
      }
   ]
}           
Example Splunk endpoint configuration
{
   "enable":true,
   "sinks":[
      {
         "type":"splunk_hec",
         "healthCheck":true,
         "host":"https://192.168.218.178:8088",
         "token":"c7a1c0495dc64f6f844c3fa577ca7143",
         "tls":{
            "caCert": "-----BEGIN CERTIFICATE-----\n
                       <certificate_content>\n
                       -----END CERTIFICATE-----",
            "verifyCertificate":false,
            "verifyHostname":false
         }
      }
   ]
} 
Parameters
  • enable—set to true to enable audit data export service; set to false to disable audit data export service.
  • type—enter where the audit data will be exported. You can enter http to send the data to an HTTP endpoint or splunk_hec to send the data to a Splunk server.
    If you enter http, enter the following additional parameters:
    • uri—enter the URI of the HTTP endpoint.
    • healthCheck—set to true to enable health check service; set to false to disable health check service. By default, the value is set to false.
    • healthCheckUri—enter the URI of the HTTP endpoint that will be consuming the health check information.
    If you enter splunk_hec, enter the following additional parameters:
    • healthCheck—set to true to enable health check service; set to false to disable health check service.
    • host—enter the URI of the Splunk HEC host. The standard format of the HEC URI in Splunk Enterprise is as follows:
      <protocol>://<host>:<port>
    • token—enter the Splunk HEC token.
    Note: The URI of the uri, healthCheckUri, and host fields must follow the format outlined in RFC2396.
  • When configuring tls settings (optional), enter the following parameters:
    • caCert—enter the content of CA certificate used to verify the server certificate during the TLS handshake. The caCert must be in PEM format.
    • verifyCertificate—set to true to force verification of the server certificate during the TLS handshake using the CA certificate that was entered; set to false if you do not want to verify the server certificate. By default, the value is set to false.
    • verifyHostname—set to true to validate the hostname section of the URI against the CN (Common Name) or SAN (Subject Alternative Name) of the server certificate during the TLS handshake; set to false if you do not want to perform this validation. By default, the value is set to false.
      Note: Configuring TLS settings is not mandatory. However, if you enable it, ensure that you use https instead of http for the uri and host fields, as failing to use https will result in the service not starting correctly.
Note: Once you have enabled audit data export and want to update any configuration, you need to disable the audit data export service and enable it again.