Skip to main content

Configure Secure Audit Log

Review the steps to configure Secure Audit Log into your app

Configuration of the Secure Audit Log service occurs within the Pangea Admin Console. A Pangea Organization Admin or Project Admin must complete the following steps to configure Secure Audit Log:

  1. Enable Secure Audit Log.
  2. Select the audit schema.
  3. Create a token.
  4. Configure settings as required.

Enable and Configure Secure Audit Log

In the Pangea User Console under the COMPLIANCE section, select Secure Audit Log. If the service has not been enabled, this will open the configuration dialog.

The configuration process will unfold as follows within a multi-stage modal:

  1. Receive information about the service and its capabilities. You can also update the default configuration name.

    Click Next to proceed.

  2. Accept the default Audit Schema or define a custom one.

    important
    • Once you've created your audit log configuration, you cannot change the schema. To use a different schema, you must create a new configuration.
    • When creating a new schema, you can define all fields and their properties, including field names.
    • After creating the schema, you can modify the visibility and order of fields, specify whether they are required, and update the fields' descriptions.

    In the Schema Template drop-down, you can select a template for your schema and modify it as needed.

    The default Standard Audit Log schema includes the following fields:

    • Timestamp: An optional client-supplied timestamp.
    • Actor: An identifier for who the audit record is about.
    • Action: The action performed on a record.
    • Status: The status or result of the event.
    • Target: An identifier for what the audit record is about.
    • Source: The source of a record.
    • Tenant ID: An optional client-supplied tenant ID.
    • Old: The value of a record before it was changed.
    • New: The value of a record after it was changed.
    • Message: A free-form text field describing the event.

    You can start with one of the templates in the Schema Template drop-down menu and customize it by adding, removing, or modifying fields to create your custom schema.

    important

    The Message field is mandatory and must exist even in a custom schema for compatibility with other services.

    note

    Templates for streaming events from third-party vendors (such as Auth0) reflect log content defined by the vendor and do not allow adding or removing fields.

    To add a new audit field, click + Field, which opens the Edit Audit Field form. Fill out the following entries in the form:

    • Name: Enter the name of the audit field using lowercase letters.

    • Display name: This field is auto-generated from the Name field.

    • Type: Select a data type from the drop-down menu based on your field information.

      Note that the string data types have size limits associated with them.

    • Description: Enter text to describe the field.

    • Visible in table: Check this box if you want the field to be displayed as a column by default in the audit log viewer.

    • Required: Check this box if this field is required during logging.

    Click Save.

    note

    You can rearrange the fields by dragging them using the handle on the left-hand side.

    Click Next.

  3. If no existing access token is available for the Secure Audit Log service, you can create a new one on this screen.

    Optionally, you can associate the new token with select endpoints, other services, and store it in Vault.

Click Done to save the configuration.

Navigate to View Logs. Hover over each field to read their descriptions.

note

The Secure Audit Log service supports multiple configuration settings.

To create an additional Secure Audit Log configuration, click on the configuration drop-down at the top of the left-hand navigation panel (where the currently selected configuration name is displayed) and select + Create New.

To create a log entry in Secure Audit Log:

  1. At the top of the left-hand navigation panel, select a service configuration for which you want to create a log entry.
  2. Click Explore the API. The Secure Audit Log API Reference page opens.
  3. Provide the required input(s) and click Send to create a log entry.
  4. Repeat the previous step to create multiple log entries for the selected Secure Audit Log configuration.

Settings

In the Pangea User Console under COMPLIANCE section, select Secure Audit Log >> Settings to access the Secure Audit Log configuration settings. Settings will allow Pangea Organization Admins or Project Admins to configure a log retention policy and enable redaction.

Retention policy

The retention policy settings determine how long audit data will be retained. By default, log data is retained for 90 days.

note

Log data that has expired due to exceeding the configured retention period is non-recoverable. Ensure your retention policy matches your required use case.

The retention policy is determined by the fields appearing after the text "retain audit data for." Unit type can be configured as "days," "months," or "years." Change the retention policy by updating the unit type and corresponding units to meet your requirements.

Redact records

The Pangea Redact service is natively integrated with the Pangea Secure Audit log. The Redact integration should be used as a fail-safe measure to prevent the unintentional proliferation of sensitive data within your audit logs.

note

Logging best practice is to remove any known, unnecessary sensitive information from log data before sending them to the Secure Audit Log service.

To turn on the Redact integration, click the toggle to the enabled position. If the Redact service has not been enabled in your project, the enablement modal will appear.

If the Redact service is already enabled, the number of redaction rules enabled will appear next to the enablement toggle. Additionally, after turning on the Redact integration, a list of Fields will appear. This will allow you to specify which audit fields should be redacted when calling the /log endpoint.

To modify the Redact service configuration, click Configure Redact and a new window will display for you to navigate to the Redact configuration. Learn more about configuring the redact service.

Log Signing

Log signing allows you to cryptographically sign a log record for assurance that the content of the log entry has not been modified since created. Logs can also be signed on by the client using the SDK with your own keys that are not provided to Pangea.

To turn on the Log Signing, click the toggle to the enabled position. If the Log Signing service has not been enabled in your project, the enablement modal will appear.

Click Enable to enable the Vault Service. To connect a signing key with Secure Audit Log the Vault service must be enabled first. Now, click Configure a signing key to choose one of the following:

  • Pangea generated: Let Pangea generate the key material for you.

  • Import a key: Bring your own key.

Click Save.

Audit Log Schema

You can view the schema defined for the currently selected audit log configuration. The fields for this schema appear on the right side of the page.

Audit Log Forwarding

You can configure the forwarding of audit logs to an external data repository, specifically Splunk.

The provided links offer assistance with the following topics:

To turn on the Audit Log Forwarding, click the toggle to the enabled position. If the Audit Log Forwarding has not been enabled in your project, the enablement modal will appear.

  • Logging Service: Splunk.

  • Event URL: Enter the complete URL for sending events. The URL format is https://<myhost>.<tld>/services/collector/event.

  • Index [Optional]: The Splunk index to pass as part of the HTTP Event Collector (HEC) payload. You can also set this in your HEC token settings.

  • Vault - HEC Token: You will save the HEC token, generated during the HEC setup, within our Pangea Vault service.

  • Provider certificate to use self-signed TLS [Optional]: Do not furnish the public certificate of the private Certificate Authority (CA) that is utilized for verifying the HEC endpoint certificate, unless a public CA like Let's Encrypt was employed.

  • Enable Indexer Acknowledgement [Optional]: Settings for indexer acknowledgement if configured in HEC.

note

Only configure this if the Enable indexer acknowledgement option is enabled in your HEC settings.

  • Acknowledge URL: The verification URL for acknowledgements usually follows this pattern: https://<myhost>.<tld>/services/collector/ack.

  • Channel ID: Required for indexer acknowledgement, the user should supply this ID, which can be generated randomly using the uuidgen command in the terminal.

After everything is configured, save and click Test forwarding configuration to verify that the configuration works. Upon successful completion, you will encounter the following message.

Successfully verified message

In Splunk, you will see a message sent by audit:

Splunk message

In case of failure, a message will appear at the upper part of your screen, explaining the reason. For instance, in this scenario, we have improperly configured the certificates in some manner.

Error message

Was this article helpful?

Contact us