Enabling Audit Data Export - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Product name
BlueCat Integrity

The following section outlines the steps to enable Audit Data Export. If you are configuring to export audit data to a Splunk™ server, ensure that you have the Splunk HTTP Event Collector (HEC) host and token information. For details on configuring HTTP Event Collector on Splunk, refer to the Splunk documentation.

  • In Address Manager 9.3, audit data export settings cannot be modified while the service is running. If the audit data export service is currently enabled, disable the service before making changes to the configuration. Once the audit data export configuration has been updated, enable the service again with the new settings.
  • When replicating the database for disaster recovery, ensure that the audit data export service is enabled on all BAMs before configuring replication. Enabling the audit data export service on all the BAMs ensures that the audit data export service and its settings are present on all the BAMs in replication, allowing failover to work. This will also ensure that failover does not result in the loss of audit data.
  • If you have enabled database replication prior to configuring audit data export, contact BlueCat Customer Care for assistance with configuring audit data export in an existing replication environment.
  • The audit data export service stores event data in a buffer before it is exported to the HTTP, Splunk, Kafka, or Elasticsearch endpoint. In the event that the service fails to export data to the endpoint, there may be a loss of event data.
  • If the service is enabled but not working, it will consume additional disk space to hold the audit data in the BAM database until it is exported successfully to an external database.
To enable audit data export:
  1. Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
  2. Under Data Management, click Audit Data Settings.
  3. Click Audit Data Export.
  4. Under General, set the following parameters:
    • Enable Audit Data Export—select this check box to enable the Audit Data Export feature.
    • Log Destination—select where the audit data will be exported. You can select HTTP to export data to an HTTP endpoint or Splunk to export data to a Splunk server.
      If you select Splunk, the following fields appear:
      • Host—enter the URI of the Splunk HEC host. The standard format of the HEC URI in Splunk Enterprise is as follows:
        <protocol>://<FQDN of the host only>:<port>
        Note: Ensure that the HEC URI format is followed exactly as described above without adding or omitting any pieces. The port is required, even if default. Do not include extra slashes or folders in the URI.
      • Token—enter the Splunk HEC token.
      • Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensures that the downstream service is accessible and can accept the audit data.
      If you select HTTP, the following fields appear:
      • Output URI—enter the URI of the HTTP endpoint.
      • Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensures that the downstream service is accessible and can accept the audit data.
      • Healthcheck URI—enter the URI of the HTTP endpoint that will be consuming the health check information.
    • TLS Options—select this check box to configure TLS options.
      Attention: If you enter a HTTPS endpoint in the Output URI or Healthcheck URI field when configuring HTTP as the Output Type, or enter a HTTPS URI in the Host field when configuring Splunk as the Output Type, you must select this check box and enter TLS information.
      • Under CA Certificate Upload, click Browse and locate the CA certificate (trusted third party or self-signed) that will be used to authenticate the CA signature on the TLS server certificate of the remote host.
        Note: The file containing the CA certificate or certificate bundle must be in PEM format. To ensure a successful TLS handshake, the CA certificate uploaded to the client (BAM) should be the same CA certificate (and intermediate certificates if applicable) used by the server to authenticate the CA signature of its TLS server certificate. The CA certificate can be acquired via browser export or other trusted source, and converted to PEM format.
      • Click Upload to upload the CA certificate.
      • Select the Verify Certificate check box to attempt a TLS handshake using the uploaded CA certificate with the remote host's TLS server certificate.
        Note: Verify Certificate does not verify the authenticity of the uploaded certificate. Verify Certificate in this context only checks if the CA certificate matches correctly with the TLS server certificate to create a successful handshake.
        Note: If encountering errors with Verify Certificate, the CA/chain-CA certificates may have to be installed manually on the Address Manager server. Refer to KB-17944 on the BlueCat Customer Care portal for manual installation instructions.
      • Select the Verify Hostname check box to validate the hostname part of the URI against the CN (Common Name) or SAN (Subject Alternative Name) of the server certificate during the TLS handshake.
        Note: If using self-signed certificates, users are advised to add a subject alternative name with the IP address (see RFC 5280, or disable the Verify Hostname check.
  5. Click Update.
Once you have enabled audit data export, selected the log destination as Splunk, and generated some session and event logs in BAM, log in to the Splunk server to view the detailed event information.
Note: The BAM UI completes before fully connecting to the SIEM solution. So, users should validate that the export is working by monitoring the event logs in BAM for any failures. It is recommended to set up a monitoring service to get SNMP or receive emails for events.