Skip to main content

Customize export of audit logs via API for integration with any SIEM system

Last update:
For your information

This is an instruction for configuring the export of audit logs via API to your SIEM system. The settings on the side of SIEM-system you need to perform on your own according to its official documentation. For integration with RuSIEM and Wazuh systems use the instructions Set up integration with RuSIEM SIEM system and Set up integration with Wazuh SIEM system.

You can also upload audit logs manually in the control panel.

  1. Create a service user.
  2. Get an IAM token for the account.
  3. Get a script to export audit logs.
  4. Set up and run the script.
  5. Configure log ingestion in the SIEM system.

1. Create a service user

Add a service user with permission in the access area Account and role member.

Users can be added by the Account Owner or users with the role of iam.admin.

2. Get an IAM token for the account

Get an IAM token for the account for the service user you created in step 1.

3. Get a script for exporting audit logs to the SIEM system

We have prepared a script for exporting audit logs - it allows you to upload logs to a file and send them to a specified IP address or endpoint via syslog or HTTP/HTTPS.

  1. Open the CLI.

  2. Clone the script repository:

    git clone https://github.com/t-rex-general/auditlog-integration.git

    The script files will be saved to the auditlog-integration folder in the working directory.

4. Set up and run the script

The script allows you to get logs in several ways:

  • to upload to a file;
  • send to the IP address via the syslog protocol;
  • send to the endpoint via HTTP/HTTPS protocol.

Customize the script depending on the desired way of getting logs:

  1. Open the CLI.

  2. Create a virtual environment:

    python3 -m venv .venv

  3. Activate the virtual environment:

    source .venv/bin/activate

  4. Go to the script folder:

    cd auditlog-integration

  5. Install the necessary dependencies:

    pip3 install -r requirements.txt

  6. Create an .env configuration file:

    touch .env

  7. Open the .env configuration file:

    nano .env

  8. Fill in the .env configuration file:

    8.1 Add a block with parameters for authentication in the API of the Audit-Logs service:

    AUDIT_LOGS_URL=<base_url>/v1/logs
    USERNAME=<username>
    PASSWORD=<password>
    ACCOUNT_ID=<account_id>

    Specify:

    • <base_url> - URL to access the audit logs API in the required pool. You can see the list of URLs in the instructions List of URLs;
    • <username> - the name of the service user you created in step 1;
    • <password> - password of the service user. If the password contains the characters [ ] \ ^ $. |? * + () and escape them by putting a backslash in front of the character. \;
    • <account_id> - account number, can be viewed in control panel in the upper right corner.

    8.2 Add a block with parameters for sending events:

    TRANSPORT_TYPE=file

    By default, logs are saved in the script folder in the events.txt file.

    8.3 Add a line with the API invocation interval:

    POLL_INTERVAL=<poll_interval>

    Specify <poll_interval> - interval of API call in seconds (default is 30).

    8.4. Exit the save file by successively pressing Ctrl+XYEnter.

    8.5 Optionally: change the name of the file where the logs are saved, for this purpose in the script folder in the file savers.py in the block class FileSaver change the value in the field self.filename.

  9. Run the script:

    python3 main.py

5. Configure log reception in the SIEM system

Configure log reception in your SIEM system. Use the official documentation of your SIEM system.