Set up an audit log webhook for Dev Portal

Before you configure the webhook, you must first create an audit log destination. This allows you to set your audit log destination (the endpoint URL for your SIEM provider) and reuse it.

1. From Organization in the sidebar, click Audit Logs Setup.
2. On the Webhook Destination tab, click New Webhook and configure the following:
   • Name: The name you want to display for the audit log destination.
   • Endpoint: The external endpoint that will receive audit log messages.

   • Authorization Header: The authorization type and credential to pass to your log collection endpoint. Konnect will send this string in the Authorization header of requests to that endpoint.

     For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235".

   • Log Format: The output format of each log message. Can be CEF or JSON.
   • Disable SSL Verification: Disables SSL verification of the host endpoint when delivering payloads. We recommend disabling SSL verification only when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks.

3. To configure the Dev Portal audit log webhook, navigate to Dev Portal in the sidebar.

   You can alternatively configure these settings by navigating to Organization > Audit Logs Setup under the Dev Portal tab.

4. Click the Dev Portal you want to configure the webhook for and then click Settings.
5. Click the Audit Logs tab.
6. Enable the webhook and then select the SIEM provider endpoint from the Endpoint drop down menu. You can’t customize the events that Konnect sends to the logs.
7. Click Save.

Now that you have an external endpoint and authorization credentials, you can set up an audit log destination in Konnect. The /audit_log_destinations endpoint allows you to set your audit log destination, which includes the endpoint URL and access key for your SIEM provider, and reuse it.

1. Create an audit log destination by sending a request to the /audit-log-destinations endpoint with the connection details for your SIEM provider:

    curl -i -X POST https://global.api.konghq.com/v2/audit-log-destinations \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer <personal-access-token>" \
    --data '{
        "endpoint": "https://example.com/audit-logs",
        "authorization": "<SIEM-access-token>",
        "log_format": "cef",
        "name": "example destinations name"
    }'
   

   Be sure to replace the following placeholder values:

   • <personal-access-token>: Your Konnect personal access token (PAT).
   • endpoint: The external endpoint that will receive audit log messages. Check your SIEM documentation to find out where to send CEF or JSON data.
   • authorization: The authorization type and credential to pass to your log collection endpoint. Konnect will send this string in the Authorization header of requests to that endpoint. For example, if you are setting up the webhook for Splunk, you could provide a Splunk access token: "authorization":"Splunk example-token12234352535235".
   • log_format: The output format of each log message. Can be cef or json.
   • name: A unique human-readable name to identify this destination.
   • skip_ssl_verification: (Optional) Set to true to skip SSL verification of the host endpoint when delivering payloads. We recommend skipping SSL verification only when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks.

   If the request is successful, you will receive a 200 response code, and a response body containing the audit log destination’s configuration details. Be sure to save the audit log destination id for the next step.

2. Create a webhook by sending a PATCH request to the /audit-log-webhook endpoint with your configured audit log destination:

    curl -i -X PATCH https://{region}.api.konghq.com/v2/portals/{portalId}/audit-log-webhook \
     --header "Content-Type: application/json" \
     --header "Authorization: Bearer <personal-access-token>" \
     --data '{
         "audit_log_destination_id": "05atf3f2-9d07-4e46-8115-c58ca594d00e",
         "enabled": true
     }'
   

   Be sure to replace the following placeholder values:

   • {region}.api.konghq.com: The region your Dev Portal is located in. Can be us, au, or eu.
   • <personal-access-token>: Your Konnect personal access token (PAT).
   • {portalId}: The ID of the Dev Portal with your webhook.
   • audit_log_destination_id: The ID of the audit log destination that you want to use.

   You can’t customize the events that Konnect sends to the logs.

   If the request is successful, you will receive a 200 response code, and a response body containing the webhook’s configuration details.

1. In Dev Portal, click the Dev Portal you want to view the webhook status job for.

   You can alternatively view your audit log webhook status by navigating to Organization > Audit Logs Setup. Under the Dev Portal tab, click the Dev Portal you want to view the log status for.

2. Click Settings in the sidebar, then click the Audit Logs tab.
3. Click the Status tab.

A badge will display next to the title of the webhook with the status of the webhook.

To see the last attempt timestamp and the last response code, use the audit log API.

View your audit log webhook status by sending a GET request to the /audit-log-webhook/status endpoint:

curl -i -X GET https://{region}.api.konghq.com/v2/portals/{portalId}/audit-log-webhook/status \
    --header "Authorization: Bearer <personal-access-token>"

Be sure to replace the following placeholder values:

• {region}.api.konghq.com: The region your Dev Portal is located in. Can be us, au, or eu.
• <personal-access-token>: Your Konnect personal access token (PAT).
• {portalId}: The ID of the Dev Portal with your webhook.

You will receive a 200 response code and a response body with information about the webhook status:

{
    "last_attempt_at": "2023-04-04T18:11:16Z",
    "last_response_code": 200,
    "webhook_enabled": true,
    "webhook_status": "active"
}