Reference: Audit data export configuration example - BlueCat Integrity - 9.3.0

Address Manager API Guide

Locale
English
Product name
BlueCat Integrity
Version
9.3.0

You can choose to export the audit data to a Splunk server or an HTTP endpoint. If you are configuring to export the audit data to a Splunk server, ensure that you have the Splunk HTTP Event Collector (HEC) host and token information.

Attention:
  • In Address Manager 9.3, audit data export settings cannot be modified while the service is running. If the audit data export service is currently enabled, disable the service before making changes to the configuration. Once the audit data export configuration has been updated, enable the service again with the new settings.
  • When replicating the database for disaster recovery, ensure that the audit data export service is enabled on all BAMs before configuring replication. Enabling the audit data export service on all the BAMs ensures that the audit data export service and its settings are present on all the BAMs in replication, allowing failover to work. This will also ensure that failover does not result in the loss of audit data.
  • If you have enabled database replication prior to configuring audit data export, contact BlueCat Customer Care for assistance with configuring audit data export in an existing replication environment.
  • The audit data export service stores event data in a buffer before it is exported to the HTTP, Splunk, Kafka, or Elasticsearch endpoint. In the event that the service fails to export data to the endpoint, there may be a loss of event data.
  • If the service is enabled but not working, it will consume additional disk space to hold the audit data in the BAM database until it is exported successfully to an external database.

Example HTTP endpoint configuration

{
   "enable":true,
   "sinks":[
      {
         "type":"http",
         "uri":"https://10.0.0.1:9002",
         "healthCheck":true,
         "healthCheckUri":"http://10.0.0.1:9002/endpoint/healthcheck",
         "tls":{
            "caCert": "-----BEGIN CERTIFICATE-----\n
                       <certificate_content>\n
                       -----END CERTIFICATE-----", 
            "verifyCertificate":false,
            "verifyHostname":false
         }
      }
   ]
}           
Example Splunk endpoint configuration
{
   "enable":true,
   "sinks":[
      {
         "type":"splunk_hec",
         "healthCheck":true,
         "host":"https://192.168.218.178:8088",
         "token":"c7a1c0495dc64f6f844c3fa577ca7143",
         "tls":{
            "caCert": "-----BEGIN CERTIFICATE-----\n
                       <certificate_content>\n
                       -----END CERTIFICATE-----",
            "verifyCertificate":false,
            "verifyHostname":false
         }
      }
   ]
} 
Parameters
  • enable—set to true to enable audit data export service; set to false to disable audit data export service.
  • type—enter where the audit data will be exported. You can enter http to send the data to an HTTP endpoint or splunk_hec to send the data to a Splunk server.
    If you enter http, enter the following additional parameters:
    • uri—enter the URI of the HTTP endpoint.
    • healthCheck—set to true to enable health check service; set to false to disable health check service. By default, the value is set to false.
    • healthCheckUri—enter the URI of the HTTP endpoint that will be consuming the health check information.
    If you enter splunk_hec, enter the following additional parameters:
    • healthCheck—set to true to enable health check service; set to false to disable health check service.
    • host—enter the URI of the Splunk HEC host. The standard format of the HEC URI in Splunk Enterprise is as follows:
      <protocol>://<host>:<port>
    • token—enter the Splunk HEC token.
    Note: The URI of the uri, healthCheckUri, and host fields must follow the format outlined in RFC2396.
  • When configuring tls settings (optional), enter the following parameters:
    • caCert—enter the content of CA certificate used to verify the server certificate during the TLS handshake. The caCert must be in PEM format.
    • verifyCertificate—set to true to force verification of the server certificate during the TLS handshake using the CA certificate that was entered; set to false if you do not want to verify the server certificate. By default, the value is set to false.
    • verifyHostname—set to true to validate the hostname section of the URI against the CN (Common Name) or SAN (Subject Alternative Name) of the server certificate during the TLS handshake; set to false if you do not want to perform this validation. By default, the value is set to false.
      Note: Configuring TLS settings is not mandatory. However, if you enable it, ensure that you use https instead of http for the uri and host fields, as failing to use https will result in the service not starting correctly.
Note: Once you have enabled audit data export and want to update any configuration, you need to disable the audit data export service and enable it again.