Enabling the Events API - BlueCat Integrity - 26.1.0

Address Manager Administration Guide
ft:locale
en-US
Product name
BlueCat Integrity
Version
26.1.0

From the Event settings page, you can configure Integrity Events settings, enable or disable the Events API, and add/edit/remove event registries.

To enable the Events API:

  1. Select the Settings tab in the sidebar.
  2. Under Notification settings, select Event settings.
  3. Select the Configure event settings button next to the Event settings header.
  4. Select the Enable events checkbox to enable the Events API feature, then configure the sink that will receive DDI events.
    • Sink type—select where the event data will be exported. You can export event data to an HTTP endpoint, Splunk server, Kafka cluster, or Elasticsearch server.
      If you select HTTP, the following fields appear:
      • Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensure that the downstream service is accessible and can accept the event data.
        • Healthcheck URI—enter the URI of the HTTP endpoint that will be consuming the health check information.
          Note: This field only appears when you select the Healthcheck check box. The URI for the Healthcheck URI field must follow the format outlined in RFC2396.
      • Output URI—enter the URI of the HTTP endpoint.
        Note:
        • BlueCat recommends entering the IP address of the endpoint in this field.
        • The URI for the Output URI field must follow the format outlined in RFC2396.
      • Token(Optional)—enter the token for the HTTP endpoint.
      • Retries—specify the number of times the Events API will attempt to resend an event if it is not received by the HTTP endpoint.
      If you select Elasticsearch, the following fields appear:
      • Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensures that the downstream service is accessible and can accept the audit data.
        Note: The health check URI is configured based on the Elasticsearch instance.
      • Endpoint—enter the Elasticsearch endpoint to send events to. This field supports IPv4, IPv6, and FQDN values.

        Example: http://10.24.32.122:9000

        Example: https://example.com

        Example: https://user:password@example.com

        Note:
        • BlueCat recommends entering the IP address of the endpoint in this field.
      • Index—enter Elasticsearch index name to write events to.
      • Username—enter the basic authentication user name.
      • Password—enter the basic authentication password.
      If you select Kafka, the following fields appear:
      • Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensures that the downstream service is accessible and can accept the audit data.
        Note: The health check URI is configured based on the Kafka Broker address.
      • Topic—enter the name of the Kafka topic to write events to.
      • Key field (Optional)—enter the log field name or tags key to use for the topic key. If the field does not exist in the log or in tags, a blank value will be used. If unspecified, the key is not sent. Kafka uses a hash of the key to choose the partition or uses round-robin if the record has no key.
      • Bootstrap servers—enter a comma-separated list of host and port pairs that are the addresses of the Kafka brokers in a “bootstrap” Kafka cluster that a Kafka client connects to initially to bootstrap itself. This field supports IPv4, IPv6 and FQDN values.

        Example: 10.14.22.123:9092,10.14.23.332:9092

        Note:
        • BlueCat recommends using IP addresses in this field.
        • Do not include http or https in the addresses of the Kafka brokers.
      If you select Splunk, the following fields appear:
      • Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensures that the downstream service is accessible and can accept the audit data.
        Note: When selecting this check box, the Address Manager Server uses the default Splunk healthcheck endpoint at /services/collector/health/1.0.
      • Host—enter the URI of the Splunk HEC host. The standard format of the HEC URI in Splunk Enterprise is as follows:
        <protocol>://<FQDN or IP address of the host only>:<port>
        Note:
        • BlueCat recommends entering the IP address of the endpoint in this field.
        • Ensure that the HEC URI format is followed exactly as described above without adding or omitting any pieces. The port is required, even if default. Do not include extra slashes or folders in the URI.
        • The URI for the Host field must follow the format outlined in RFC2396.
      • Token—enter the Splunk HEC token.
    • If you are configuring TLS options, enter the following information:
      Attention: If you enter a HTTPS endpoint in the Output URI, Healthcheck URI, Host, Bootstrap Servers, or Endpoint field when configuring output, you must enter TLS information.
      • Select the Verify Certificate check box to attempt a TLS handshake using the uploaded CA certificate with the remote host's TLS server certificate.
        Note: Verify Certificate does not verify the authenticity of the uploaded certificate. Verify Certificate in this context only checks if the CA certificate matches correctly with the TLS server certificate to create a successful handshake.
        Note: If encountering errors with Verify Certificate, the CA/chain-CA certificates may have to be installed manually on the Address Manager server. Refer to KB-17944 on the BlueCat Customer Care portal for manual installation instructions.
      • Select the Verify Hostname check box to validate the hostname part of the URI against the CN (Common Name) or SAN (Subject Alternative Name) of the server certificate during the TLS handshake.
        Note: If using self-signed certificates, users are advised to add a subject alternative name with the IP address (see RFC 5280 4.2.1.6), or disable the Verify Hostname check.
      • Under CA Certificate Upload, click Drag and drop file here or click to upload and locate the CA certificate (trusted third party or self-signed) that will be used to authenticate the CA signature on the TLS server certificate of the remote host. Additionally, you can drag the CA certificate file to the dotted box to upload the certificate.
        Note: The file containing the CA certificate or certificate bundle must be in PEM format. To ensure a successful TLS handshake, the CA certificate uploaded to the client (BAM) should be the same CA certificate (and intermediate certificates if applicable) used by the server to authenticate the CA signature of its TLS server certificate. The CA certificate can be acquired via browser export or other trusted source, and converted to PEM format.
  5. In the Change control comment field, enter a comment if required.
  6. Select Configure.