The following section outlines the steps to enable Audit Data Export. If you are configuring to export audit data to a Splunk™ server, ensure that you have the Splunk HTTP Event Collector (HEC) host and token information. For details on configuring HTTP Event Collector on Splunk, refer to the Splunk documentation.
Attention:
To enable audit data export:- In Address Manager 9.3, audit data export settings cannot be modified while the service is running. If the audit data export service is currently enabled, disable the service before making changes to the configuration. Once the audit data export configuration has been updated, enable the service again with the new settings.
- When replicating the database for disaster recovery, ensure that the audit data export service is enabled on all BAMs before configuring replication. Enabling the audit data export service on all the BAMs ensures that the audit data export service and its settings are present on all the BAMs in replication, allowing failover to work. This will also ensure that failover does not result in the loss of audit data.
- If you have enabled database replication prior to configuring audit data export, contact BlueCat Customer Care for assistance with configuring audit data export in an existing replication environment.
- The audit data export service stores event data in a buffer before it is exported to the HTTP, Splunk, Kafka, or Elasticsearch endpoint. In the event that the service fails to export data to the endpoint, there may be a loss of event data.
- If the service is enabled but not working, it will consume additional disk space to hold the audit data in the BAM database until it is exported successfully to an external database.
Once you have enabled audit data export, selected the log
destination as Splunk, and generated some session and event logs
in BAM, log in to the Splunk server to view the detailed event information.
Note: The
BAM UI completes before fully connecting to the SIEM solution. So, users should
validate that the export is working by monitoring the event logs in BAM for any
failures. It is recommended to set up a monitoring service to get SNMP or receive
emails for events.