Retrieving audit events
In Cloudera on premises, Cloudera Control Plane audit data can be retrieved by configuring the OpenTelemetry (OTel) collector. The OTel collector can be configured to send data to external systems – such IBM Guardian – using the syslog OTel exporter.
OTel collector configuration
The OTel collector is used to receive the audit events. It supports the following three types of data:
-
Traces
-
Metrics
-
Logs
The audit events are treated as logs in the OTel collector. Currently configuration of an
OpenTelemetry exporter is only possible by editing the Kubernetes configmap
cdp-release-opentelemetry-collector in the
<cdp-project> namespace.
The default config contains only the logging exporter. To collect audit events in an external system such as rsyslog, the appropriate exporter config needs to be added there. To edit the configmap, run the following command:
kubectl edit cm cdp-release-opentelemetry-collector -n <cdp-project>
The default structure of the configmap is as follows:
# Valid values are "daemonset", "deployment", and "statefulset".
mode: "deployment"
config:
receivers:
jaeger: null
prometheus: null
zipkin: null
service:
pipelines:
logs:
exporters:
- logging
processors:
- memory_limiter
- batch
receivers:
- otlp
metrics: null
traces: null
ports:
jaeger-compact:
enabled: false
jaeger-thrift:
enabled: false
jaeger-grpc:
enabled: false
zipkin:
enabled: false
Forwarding to OTel
Forwarding of audit events to the OTel collector is disabled by default. You can enable OTel to receive audit events by configuring the following environment variable:
kubectl edit deploy cdp-release-thunderhead-audit-private -n <cdp-project>
# Add the following environment variable
- name: FORWARDING_ENABLED
value: "true"
Syslog OTel exporter configuration
This section provides an example of how to modify the OTel configmap to send audit events to a rsyslog endpoint using the syslog exporter. An example of adding a syslog exporter is described below. For additional information about the syslog exporter example, see: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/exporter/syslogexporter/examples/config_with_syslog_receiver.yaml
Sample syslog insecure configuration
The following snippet from the cdp-release-opentelemetry-collector
configmap shows how to configure a syslog exporter without TLS:
apiVersion: v1
data:
relay: |
exporters:
logging:
verbosity: basic
syslog:
network: tcp
port: 514
endpoint: adt-demo-1.vpc.cloudera.com
tls:
insecure: true
protocol: rfc3164
.
.
.
pipelines:
logs:
exporters:
- logging
- syslog
Additionally syslog needs to be added under the services
| logs | pipelines | exporters section.
/var/log/messages:Aug 30 22:45:35 ena-3.vpc.cloudera.com - {"action":"setEnvironmentSetting","actor_crn":"crn:altus:iam:us-west-1:8f5a8f29-7834-4b66-8946-ebd7d2cf8508:user:17aa0daf-4f92-45fa-a8c9-6ca0478eec31","agent":"environments","evtTime":1693435535994,"id":"c1080e42-b0ba-4bd4-b1dd-4bd0f7881f49","reqUser":"admin","request_id":"44c24ab0-34bb-456a-a945-f10a72ad49c7","response_parameters":"{ }","result":"SUCCESS","text":""}
Aug 30 22:46:45 ena-3.vpc.cloudera.com - {"action":"getUser","actor_crn":"crn:altus:iam:us-west-1:8f5a8f29-7834-4b66-8946-ebd7d2cf8508:user:17aa0daf-4f92-45fa-a8c9-6ca0478eec31","agent":"iam","api_version":"__API_VERSION__","cliIP":"10.42.1.7","evtTime":1693435605667,"id":"58724fb9-69d5-4a92-b1f5-5412809a9e8c","mutating":"false","reqData":"{ \"userId\": null }","reqUser":"admin","request_id":"ec66f71d-ce19-4d11-be4d-b7372bd7a23a","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"}
Sample syslog secure configurationThe following example shows how to configure a server CA for TLS. The
ca_file must have the value /etc/opt/certs/ca.pem as
that is the Cloudera on premises truststore file.
apiVersion: v1
data:
relay: |
exporters:
logging:
verbosity: basic
syslog:
network: tcp
port: 6514
endpoint: <rsyslog-hostname>
tls:
ca_file: /etc/opt/certs/ca.pem
protocol: rfc3164
.
.
.
pipelines:
logs:
exporters:
- logging
- syslog
Please note that this configuration will only work if the rsyslog server has TLS configured. Additional information on rsyslog TLS is available here: https://www.rsyslog.com/doc/master/tutorials/tls.html
We support TLS out of the box. mTLS is not supported – to configure mTLS, see TLS Configuration Settingsfor more information.
For added context, the following steps were done to test
rsyslog using TLS. This test was done on a machine running RHEL
8.8.
The following lines were added to
/etc/rsyslog.conf
module( load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon" ) # needs to be done just once input(type="imtcp" port="6514") #### GLOBAL DIRECTIVES #### global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/certs/myCA.pem" DefaultNetstreamDriverCertFile="/certs/rsyslog.crt" DefaultNetstreamDriverKeyFile="/certs/rsyslog.key"
If GnuTLS library is not already present, it must be installed:
yum install rsyslog-gnutls
The certs were created using a self-signed CA. The commands are:
# Create the CA private key openssl genrsa -out myCA.key 2048 # Create the CA public key openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem # Create the server cert private key openssl genrsa -out rsyslog.key 2048 # Create a certificate signing request using the private key above openssl req -new -key rsyslog.key -out rsyslog.csr # Create an ext file rsyslog.ext with the contents below basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = <rsyslog-hostname> # Create the server cert openssl x509 -req -in rsyslog.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out rsyslog.crt -days 825 -sha256 -extfile rsyslog.ext
Import the CA cert myCA.pem into the miscellaneous section
of the CA certificates from the Control Plane UI.
rsyslog.crt must also be imported.
