General Settings
Learn how to define the Retention policy, integrate with the Redact service, configure the Audit Schema, and forward log events.
In the Pangea User Console under COMPLIANCE section, select Secure Audit Log and click Settings .
Retention policy
The retention policy settings determine how long audit data will be kept. Log data that has expired and exceeded the retention period cannot be recovered. Make sure your retention policy matches your needs.
The Secure Audit Log data can be stored in different tiers, each with its own retention policy:
- Hot - Optimized for search performance. Retained for up to 14 days.
- Warm - Allows search and export, optimized for cost. Retained for up to 10 years.
- Cold - Archived data, retrievable only by request. Learn how to make a request in the Cold Export documentation. Retained for up to 10 years.
Set the retention policy for a Secure Audit Log configuration
Ingested logs are first stored in hot searchable storage for the duration of the configured hot retention window. After that, they move to warm searchable storage for the configured warm retention period. Once the warm period ends, logs are moved to cold storage.
Change the retention policy by updating the unit type and corresponding units to meet your requirements within the allowable limits. Depending on the storage type, you can specify the retention policy periods in Days, Weeks, Months, or Years.
You might need to update an old audit configuration to enable tiers in the Secure Audit Log retention policy.
Update a Secure Audit Log configuration to enable Hot, Warm, and Cold tiers in the retention policy settings
In the legacy configurations, the retention policy is determined by the fields appearing after the text Retain audit data for.
Redact log events
The Pangea Redact service integrates with the Pangea Secure Audit log. This integration should be used as a fail-safe measure to prevent the unintentional proliferation of sensitive data within your audit logs.
Generally, we recommend omitting personally identifying information or secrets from secure audit logs unless they are protected by redaction.
After enabling the Redact service, you can enable the Redact records option under the Secure Audit Log Settings in the Pangea User Console. Once enabled, select a Redact configuration to use and the audit fields to be redacted. Click Save to apply your selection. The number of applied redaction rules will be displayed in the Redact records item under Secure Audit Log Settings.
To modify the Redact service configuration, click the Configure redaction rules link. Learn more about configuring the redaction rules in the Redact Configuration docs.
If you're integrating the Secure Audit Log and Redact service into your app, the Redact service will, by default, only redact the message, old, and new fields. Review the other parameters, such as actor, available for redaction, as they may be relevant to your use case.
You can unredact log events that were redacted with Format Preserving Encryption (FPE) by using the Redact /v1/unredact and /v1/unredact_events endpoints.
Log Signing
Log signing allows you to cryptographically sign a log record for assurance that the content of the log entry has not been modified since created. Logs can also be signed on by the client using the SDK with your own keys that are not provided to Pangea.
To turn on the Log Signing, click the toggle to the enabled position. If the Log Signing service has not been enabled in your project, the enablement modal will appear.
Click Enable to enable the Vault Service. To connect a signing key with Secure Audit Log the Vault service must be enabled first. Now, click Configure a signing key to choose one of the following:
-
Pangea generated - Let Pangea generate the key material for you.
-
Import a key - Bring your own key.
Click Save.
Audit Log Schema
You can view the schema defined for the currently selected audit log configuration. The fields for this schema appear on the right side of the page.
You can adjust a field description, its visibility in the Log Viewer , and whether the field is required.
By following the Create new configuration link, you can create additional configurations .
Audit Log Forwarding
You can configure the forwarding of audit logs to an external data repository, specifically Splunk.
The provided links offer assistance with the following topics:
To turn on the Audit Log Forwarding, click the toggle to the enabled position. If the Audit Log Forwarding has not been enabled in your project, the enablement modal will appear.
-
Logging Service - Splunk.
-
Event URL - Enter the complete URL for sending events. The URL format is
https://<myhost>.<tld>/services/collector/event. -
Index [Optional] - The Splunk index to pass as part of the HTTP Event Collector (HEC) payload. You can also set this in your HEC token settings.
-
Vault - HEC Token - You will save the HEC token, generated during the HEC setup, within our Pangea Vault service.
-
Provider certificate to use self-signed TLS [Optional] - Do not furnish the public certificate of the private Certificate Authority (CA) that is utilized for verifying the HEC endpoint certificate, unless a public CA like Let's Encrypt was employed.
-
Enable Indexer Acknowledgment [Optional] - Settings for indexer acknowledgment if configured in HEC.
Only configure this if the Enable indexer acknowledgment option is enabled in your HEC settings.
-
Acknowledge URL - The verification URL for acknowledgments usually follows this pattern:
https://<myhost>.<tld>/services/collector/ack. -
Channel ID - Required for indexer acknowledgment, the user should supply this ID, which can be generated randomly using the
uuidgencommand in the terminal.
After everything is configured, save and click Test forwarding configuration to verify that the configuration works. Upon successful completion, you will encounter the following message.
In Splunk, you will see a message sent by audit:
In case of failure, a message will appear at the upper part of your screen, explaining the reason. For instance, in this scenario, we have improperly configured the certificates in some manner.
Was this article helpful?