The following section outlines the steps to enable Audit Data Export. If you are configuring to export audit data to a Splunk™ server, ensure that you have the Splunk HTTP Event Collector (HEC) host and token information. For details on configuring HTTP Event Collector on Splunk, refer to the Splunk documentation.
Attention:
- Output to Kafka clusters and Elasticsearch servers can only be configured on Address Manager v9.5.0.
- Starting in Address Manager v9.5.0, the audit data export service has been
updated to output data as valid JSON that includes the hostname of the
Address Manager server. This allows log management tools (such as Splunk
servers) to properly parse the data as JSON, and helps users identify data
sources in environments with multiple Address Manager servers.Warning: Users with existing audit data export configurations may need to update the settings of their log management tool (data sink) after upgrade to v9.5.0, to ensure that messages continue to be received. If messages are no longer being received after upgrade, ensure that the source and sink type are set to JSON and restart the log tool.
- The audit data export service stores event data in a buffer before it is exported to the HTTP, Splunk, Kafka, or Elasticsearch endpoint. In the event that the service fails to export data to the endpoint, there may be a loss of event data. If the service is enabled but not working, it will consume additional disk space to hold the audit data in the BAM database until it is exported successfully to an external database.
- Starting in Address Manager v9.5.0, the default number of Address Manager
database rows sent per event has been reduced from 20 to 5 to not exceed the
default Splunk settings. However if the Address Manager database table grows
larger the default, the number of rows sent per event will scale upward
accordingly to keep up with the table size. This means that the default
Splunk limits may still be exceeded for large databases. Customers are
advised to monitor audit data export output to ensure that Splunk settings
allow for large amounts of data to be exported.The following Splunk settings can be modified to support the handling of large audit data export events:A parameter can also be configured on Address Manager servers to specify an exact amount of rows sent per event, refer to the next list item for more details.
TRUNCATE Defines the number of characters per line, once reached exceed characters are dropped. MAX_EVENTS Defines the maximum number of lines per multi-line events. Once reached the event is broken, and exceeding lines are interpreted as a new events (sometimes causing a new timestamp detection). - Starting in Address Manager v9.5.0, a property can be configured on Address
Manager servers to specify the exact number of database table rows to send
per event, thus disabling the automatic increase. If such a configuration is
required to avoid exceeding sink settings, contact Customer Care for
assistance with configuration of this server property.Warning: With this property configured, in the event the system is busy, the queue used to hold the data before it goes to the sink may grow, causing increased usage of disk space in a busy system. Users are advised to carefully monitor disk space if using this option.
- When replicating the database for disaster recovery, ensure that the audit data export service is enabled on all BAMs before configuring replication. Enabling the audit data export service on all the BAMs ensures that the audit data export service and its settings are present on all the BAMs in replication, allowing failover to work. This will also ensure that failover does not result in the loss of audit data.
- If you have enabled database replication prior to configuring audit data export, contact BlueCat Customer Care for assistance with configuring audit data export in an existing replication environment.
To enable audit data export:
Once you have enabled audit data export and generated some session
and event logs in BAM, log in to the receiving server to view the detailed event
information.
Note: The BAM UI completes before fully connecting to the SIEM solution.
So, users should validate that the export is working by monitoring the event logs in
BAM for any failures. It is recommended to set up a monitoring service to get SNMP
or receive emails for events.