Enable audit logging

Learn how to get audit trails of access activity, permission changes, and other major events.

The StackRox Kubernetes Security Platform provides audit logging features that you can use to check all the changes made in the StackRox Kubernetes Security Platform. The audit log captures all the PUT and POST events, which are modifications to the StackRox Kubernetes Security Platform. Use this information to troubleshoot a problem or to keep a record of important events, such as changes to roles and permissions. With audit logging you get a complete picture of all normal and abnormal events that happened on the StackRox Kubernetes Security Platform.

Enable audit logging

When you enable audit logging, every time there is a modification, the StackRox Kubernetes Security Platform sends an HTTP POST message (in JSON format) to the configured system. Before you enable audit logging, you must configure Splunk or another webhook receiver to handle the StackRox Kubernetes Security Platform log messages.

To enable audit logging:

  1. Go to Platform Configuration > Integrations.
  2. Scroll the view and then under the Plugins section, select Generic Webhook or Splunk.
  3. Fill in the required information and turn on the Enable Audit Logging toggle.

Sample log message

The log message has the following format:

Copy
{
  "headers": {
    "Accept-Encoding": [
      "gzip"
    ],
    "Content-Length": [
      "586"
    ],
    "Content-Type": [
      "application/json"
    ],
    "User-Agent": [
      "Go-http-client/1.1"
    ]
  },
  "data": {
    "audit": {
      "interaction": "CREATE",
      "method": "UI",
      "request": {
        "endpoint": "/v1/notifiers",
        "method": "POST",
        "payload": {
          "@type": "storage.Notifier",
          "enabled": true,
          "generic": {
            "auditLoggingEnabled": true,
            "endpoint": "http://samplewebhookserver.com:8080"
          },
          "id": "b53232ee-b13e-47e0-b077-1e383c84aa07",
          "name": "Webhook",
          "type": "generic",
          "uiEndpoint": "https://localhost:8000"
        }
      },
      "status": "REQUEST_SUCCEEDED",
      "time": "2019-05-28T16:07:05.500171300Z",
      "user": {
        "friendlyName": "John Doe",
        "role": {
          "globalAccess": "READ_WRITE_ACCESS",
          "name": "Admin"
        },
        "username": "john.doe@example.com"
      }
    }
  }
}

There is currently no message delivery guarantee for audit log messages.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.