Skip to main content

Configure audit log export via API for integration with any SIEM system

For your information

This is a guide for configuring audit log export via Audit Logs API to your SIEM system. You must perform the settings on the SIEM system side yourself according to its official documentation. For integration with RuSIEM and Wazuh, use the following instructions: Configure integration with RuSIEM and Configure integration with Wazuh.

  1. Create a service user.
  2. Get an IAM token for the account.
  3. Get the script for audit log export.
  4. Configure and run the script.
  5. Configure log ingestion in the SIEM system.

1. Create a service user

Add a service user with the audit_logs.admin. role.

Users can be added by the Account Owner or users with the iam.admin. role.

2. Get an account IAM token

Get an account IAM token for the service user you created in step 1.

3. Get the script for exporting audit logs to a SIEM system

We have prepared a script for exporting audit logs; it allows you to download logs to a file, as well as send them to a specified IP address or endpoint via the syslog or HTTP/HTTPS protocol.

  1. Open the CLI.

  2. Clone the script repository:

    git clone https://github.com/t-rex-general/auditlog-integration.git

    The script files will be saved in the working directory to the auditlog-integration folder.

4. Configure and run the script

The script allows you to receive logs in several ways:

  • upload to a file;
  • send to an IP address via the syslog;
  • send to an endpoint via the HTTP/HTTPS.

Configure the script depending on the required log collection method:

  1. Open the CLI.

  2. Create a virtual environment:

    python3 -m venv .venv

  3. Activate the virtual environment:

    source .venv/bin/activate

  4. Go to the script folder:

    cd auditlog-integration

  5. Install the necessary dependencies:

    pip3 install -r requirements.txt

  6. Create a configuration file .env:

    touch .env

  7. Open the configuration file .env:

    nano .env

  8. Fill in the configuration file .env:

    8.1. Add a block with authentication parameters for the Audit Logs service API:

    AUDIT_LOGS_URL=<base_url>/v1/logs
    USERNAME=<username>
    PASSWORD=<password>
    ACCOUNT_ID=<account_id>

    Specify:

    • <base_url> — API URL for audit logs in the required pool. A list of URLs can be found in the List of URLs;
    • <username> — name of the service user you created in step 1;
    • <password> — service user password. If the password contains [ ] \ ^ $. |? * + () characters, escape them by adding a backslash \;
    • <account_id> — account number, which can be seen in the Control panel in the top right corner.

    8.2. Add a block with event submission parameters:

    TRANSPORT_TYPE=file

    By default, logs are saved in the script folder to the events.txt file.

    8.3. Add a line with the API request interval:

    POLL_INTERVAL=<poll_interval>

    Specify <poll_interval> — API request interval in seconds (default is 30).

    8.4. Exit the file and save changes: to do this, press sequentially Ctrl+XYEnter.

    8.5. Optional: change the log file name; to do this, in the script folder open the savers.py file, find the class FileSaver block, and change the value in the self.filename field.

  9. Run the script:

    python3 main.py

5. Configure log ingestion in the SIEM system

Configure log ingestion in your SIEM system. Use the official documentation for your SIEM system.