How To
Summary
You can configure IBM Cloud Pak for Data Audit Logging to forward audit records to your security information and event management (SIEM) solutions, such as Splunk, LogDNA, or QRadar.
Objective
At a high level, auditing provides accountability, traceability, and regulatory compliance regarding access to and modification of data. Enterprises are often subject to industry requirements for regulatory auditing compliance. Therefore, a holistic auditing solution that works with IBM Cloud Pak for Data requires contributions and coordination of solutions from Red Hat OpenShift, Guardium, and the IBM Cloud Pak for Data software stack.
Auditing support in IBM Cloud Pak for Data makes a significant step forward by generating, collecting, and forwarding CADF (Cloud Auditing Data Federation) compliant audit records for core platform auditable events. This article guides you through the configuration that is required to forward IBM Cloud Pak for Data audit records to your existing security information and event management (SIEM) solutions.
Environment
IBM Cloud Pak for Data Release 3.0.1 introduced the Audit Logging Service. The Audit Logging Service collects CADF-compliant audit records from services that are deployed across the IBM Cloud Pak for Data instance and forwards those audit records onto any configured SIEM solutions.
The Audit Logging Service is installed in each instance of IBM Cloud Pak for Data and is namespace-scoped. In a multi-tenant configuration, each Audit Logging Service works independently. Each tenant's CADF audit records are isolated from each other and can be forwarded with different SIEM collector configurations. From a security and compliance perspective, the Audit Logging Service ensures that auditors for one tenant have visibility of records for that tenant only.
Similar to other IBM Cloud Pak for Data core platform services, the Audit Logging Service pod deployment (zen-audit) supports multiple replicas. By default, the zen-audit deployment is configured as a single replica with minimal memory and CPU load. This deployment can be scaled up and out when the need arises.
The Audit Logging implementation uses Fluentd Output plug-ins to forward and export audit records. After you install IBM Cloud Pak for Data, the Audit Logging Service is configured by default to post ingested audit records only to the zen-audit pod stdout log. External SIEM Configuration can be added to the zen-audit-config Kubernetes configmap to extend where the Audit Logging Service exports all collected audit records.
Steps
The IBM Cloud Pak for Data Audit Logging Service can be configured to forward ingested audit records to an existing external SIEM by adding a
<store> configuration section to the zen-audit-config Kubernetes configmap for each external SIEM. You must have Red Hat OpenShift administrator privileges to edit the zen-audit-config Kubernetes configmap.The SIEM
<store> configuration section typically contains information that must be configured on and gathered from the external SIEM. Therefore, each SIEM subsection documented is separated into two portions: actions required on the SIEM interface and actions required on Red Hat OpenShift hosting the IBM Cloud Pak for Data cluster.The Audit Logging Service in IBM Cloud Pak for Data explicitly supports forwarding of CADF Audit Record Format compliant records to the following external SIEM solutions:
Other types of external SIEM solutions can be successfully configured if they support base Fluentd Output plug-ins or additionally packaged plug-ins. For example, TCP/IP
@type forward and RSYSLOG @type remote_syslog.For security, TLS enablement is often required and therefore TLS Certificates are also typically added to the zen-audit-config Kubernetes configmap for reference in the SIEM
<store> configuration section. For more information, see TLS Certificates.Splunk
In Splunk:
- In the Splunk dashboard, click Settings > Data inputs.
- In the HTTP Event Collector section, click Add new.
- Give the IBM Cloud Pak for Data instance a unique name, and optionally configure the source name override, description, and indexer acknowledgment.
- Configure source type, create a specific IBM Cloud Pak for Data data source, use automatic detecting, or select generic JSON source type.
- Configure App Context and Indexes for the specific use case.
- Click Review and then click Submit.
- Save the Generated Token Value so that it can be used in a later step.
In Red Hat OpenShift hosting Cloud Pak for Data:
- Make a backup of the current zen-audit-config configmap.
- Edit the zen-audit-config configmap, either in the Red Hat OpenShift UI or from a terminal window.
- The IBM Cloud Pak for Data auditing service uses Fluentd to manage audit logging. The zen-audit-config configmap defines log export settings for the instance of IBM Cloud Pak for Data. By default, example configurations are commented out, and stdout is the only output enabled.
- To integrate with Splunk, a Splunk HEC-specific plug-in is included. More documentation can be found here.
- Add the following
<store>configuration section to the configmap inside the<match export export.** records records.** syslog syslog.**>tags, and underneath the line that reads@type copy. Remember to ensure it is correctly indented, and the configuration details replace the placeholders in angled brackets (<>).apiVersion: v1 metadata: name: zen-audit-config data: ca.pem: | -----BEGIN CERTIFICATE----- <XXXXXXXXX> -----END CERTIFICATE----- fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type splunk_hec host <SPLUNK-HOST> port <SPLUNK-PORT, 8088 BY DEFAULT> token <SPLUNK-TOKEN> flush_interval 10s use_ssl true ca_file /fluentd/config/ca.pem </store> </match> - Save the changes to the zen-audit-config configmap.
- Delete all zen-audit pods to force a restart to pick up changes. To avoid forced restart, implement a manual rolling update.
- When correctly configured, new events from IBM Cloud Pak for Data will begin appearing in the Splunk instance.
Note: Alternatively, you can use the following command to update the zen-audit-config configmap:
>oc patch configmap zen-audit-config -n <CPD-NAMESPACE> --type merge --patch '{"data":{"fluent.conf":"<match export export.** records records.** syslog syslog.**> \n @type copy \n <store> \n @type splunk_hec\n host <SPLUNK-HOST>\n port <SPLUNK-PORT, 8088 BY DEFAULT>\n token <SPLUNK-TOKEN>\n flush_interval 10s\n use_ssl true\n ca_file /fluentd/config/ca.pem\n </store>\n</match>","ca.pem":"-----BEGIN CERTIFICATE-----\n <XXXXXXXXX>\n-----END CERTIFICATE-----\n"}}'
LogDNA
In LogDNA:
- Open the Install Instructions menu, by clicking the question mark icon at the lower left section of the screen.
- Under Via Platform, select Fluentd.
- Under the If you use Fluentd section, copy the configuration snippet. It will look like the following example:
<match your_match> @type logdna api_key <API KEY> ingester_domain <YOUR HOST> hostname "#{Socket.gethostname}" # your hostname (required) app my_app # replace with your app name #mac C0:FF:EE:C0:FF:EE # optional Mac address #ip 127.0.0.1 # optional IP address </match>
Note: Some versions of LogDNA showingestion_hostinstead ofingester_domain. Check that the configuration has the correct key and change it if it doesn't. - Replace the opening and closing
<match>tags with<store>tags so that the<store>configuration snippet looks like the following example (we recommend adding the last two lines for performance).<store> @type logdna api_key (logdna api key) ingester_domain (logdna ingester domain address) hostname (hostname to send to logdna) app (app name to send to logdna) # mac C0:FF:EE:C0:FF:EE # optional mac address # ip 127.0.0.1 # optional IP address buffer_chunk_limit 1m flush_at_shutdown true </store>
In Red Hat OpenShift hosting Cloud Pak for Data:
- Make a backup of the current zen-audit-config configmap.
- Edit the zen-audit-config configmap, either in the Red Hat OpenShift UI or from a terminal window.
- The IBM Cloud Pak for Data auditing service uses Fluentd to manage audit logging. This configmap defines log export settings for the instance of IBM Cloud Pak for Data. By default, example configurations are commented out, and stdout is the only output enabled.
- Add the edited
<store>configuration snippet to the configmap inside the<match export export.** records records.** syslog syslog.**>tags, and underneath the line that reads@type copy. Remember to ensure it is correctly indented, and the configuration details replace the placeholders in angled brackets (<>). Optionally, changehostnameto something static and configureapp,mac, andipas required.apiVersion: v1 metadata: name: zen-audit-config data: ca.pem: | -----BEGIN CERTIFICATE----- <XXXXXXXXX> -----END CERTIFICATE----- fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type logdna api_key <LOGDNA-API-KEY> ingester_domain <LOGDNA-INGESTER-DOMAIN-ADDRESS> hostname <CPD-HOSTNAME> app <CPD-ZEN-AUDIT> # mac C0:FF:EE:C0:FF:EE # optional mac address # ip 127.0.0.1 # optional IP address buffer_chunk_limit 1m flush_at_shutdown true tls true ca_file /fluentd/config/ca.pem </store> </match> - Save the changes to the zen-audit-config configmap.
- Delete all zen-audit pods to force a restart to pick up changes. To avoid forced restart, implement a manual rolling update.
- When correctly configured, new events from IBM Cloud Pak for Data will begin appearing in the LogDNA instance.
Note: Alternatively, you can use the following command to update the zen-audit-config configmap:
oc patch configmap zen-audit-config -n <CPD-NAMESPACE> --type merge --patch '{"data":{"fluent.conf":"<match export export.** records records.** syslog syslog.**> \n @type copy \n <store> \n @type logdna\n api_key <LOGDNA-API-KEY>\n ingester_domain <LOGDNA-INGESTER-DOMAIN-ADDRESS>\n app <CPD-NAME>\n # mac C0:FF:EE:C0:FF:EE # optional mac address\n # ip 127.0.0.1 # optional IP address\n buffer_chunk_limit 1m\n flush_at_shutdown true\n tls true\n ca_file /fluentd/config/ca.pem\n </store>\n</match>","ca.pem":"-----BEGIN CERTIFICATE-----\n <XXXXXXXXX>\n-----END CERTIFICATE-----\n"}}'
QRadar
In QRadar:
- Navigate to Admin.
- Click Log Sources.
- Click Add.
- Configure a Name and Description for the new log source.
- Under Type, select an ICP CADF Format if configured, or a generic log type.
- Change Protocol Configuration to Syslog, or TLS Syslog if TLS is enabled.
- Provide a unique Identifier, ensure it is enabled, provide an event collector, and optionally select an Extension.
- Click Save.
- Navigate back to the Admin menu.
- Click Deploy Changes.
In Red Hat OpenShift hosting Cloud Pak for Data:
- Edit the zen-audit-config configmap, either in the Red Hat OpenShift UI or from a terminal window. Make a backup of the current configmap before you make changes.
- The IBM Cloud Pak for Data auditing service uses Fluentd to manage audit logging. This configmap defines log export settings for the instance of IBM Cloud Pak for Data. By default, example configurations are commented out, and stdout is the only output enabled.
- Add the following
<store>configuration section to the configmap inside the<match export export.** records records.** syslog syslog.**>tags, and underneath the line that reads@type copy. Remember to ensure it is correctly indented, and the configuration details replace the placeholders in angled brackets (<>).apiVersion: v1 metadata: name: zen-audit-config data: ca.pem: | -----BEGIN CERTIFICATE----- <XXXXXXXXX> -----END CERTIFICATE----- fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> @type remote_syslog host <QRADAR-HOST> port <QRADAR-PORT, DEFAULT IS 514> hostname <CPD-HOSTNAME> protocol tcp tls true ca_file /fluentd/config/ca.pem <format> @type json </format> <buffer> flush_thread_count 2 flush_interval 10s chunk_limit_size 2M queue_limit_length 32 retry_max_interval 30 retry_forever true </buffer> </store> </match> - Save the changes to the zen-audit-config configmap.
- Delete all zen-audit pods to force a restart to pick up changes. To avoid forced restart, implement a manual rolling update.
- When correctly configured, new events from IBM Cloud Pak for Data will begin appearing in the QRadar instance.
Note: Alternatively, you can use the following command to update the zen-audit-config configmap:
oc patch configmap zen-audit-config -n <CPD-NAMESPACE> --type merge --patch '{"data":{"fluent.conf":"<match export export.** records records.** syslog syslog.**> \n @type copy \n <store> \n @type remote_syslog\n host <QRADAR_HOST>\n port <QRADAR-PORT, 514 BY DEFAULT>\n hostname <CPD-HOSTNAME>\n protocol tcp\n tls true\n ca_file /fluentd/config/ca.pem\n <format>\n @type json\n </format>\n <buffer>\n flush_thread_count 2\n flush_interval 10s\n chunk_limit_size 2M\n queue_limit_length 32\n retry_max_interval 30\n retry_forever true\n </buffer>\n </store>\n</match>","ca.pem":"-----BEGIN CERTIFICATE-----\n <XXXXXXXXX>\n-----END CERTIFICATE-----\n"}}'
TLS Certificates
Security compliance typically requires TLS, therefore, TLS certificates are required to send events to external repositories or tools. The following steps describe how to define and reference TLS Certificates within the SIEM
<store> configuration section of the zen-audit-config Kubernetes configmap.Including certificates in the zen-audit-config configmap:
- Edit the zen-audit-config configmap, either in the Red Hat OpenShift UI or from a terminal window.
- Add an entry for each required certificate. See the following example.
apiVersion: v1 metadata: name: zen-audit-config data: ca.pem: | -----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -----END CERTIFICATE----- fluent.conf: |- <match export export.** records records.** syslog syslog.**> @type copy <store> ... ca_file /fluentd/config/ca.pem </store> </match> - Save the changes to the zen-audit-config configmap.
- Delete all zen-audit pods to force a restart to pick up changes. To avoid forced restart, implement a manual rolling update.
- The entry under the ca.crt key will be mounted at /fluentd/config/ca.crt and can then be referenced in the configuration file.
Note: Unfortunately, there is no standard way to configure TLS across Fluentd plug-ins, each type of export plug-in typically requires unique configuration. See the previous examples.
Additional Information
IBM Cloud Pak for Data Platform Audit Events:
The following list describes IBM Cloud Pak for Data platform auditable events that are generated and forwarded via Audit Logging. The complete list of auditable events that are supported will vary depending on the installed version of IBM Cloud Pak for Data and Services.
Login, Logout, Session, Authentication:
- security.users.authenticate - success or failure when a user logs in
- security.users.revoke- record when users log out
- security.accounts.authenticate- success or failure of SAML2 token validation
- security.authorization - failure in invoking any privileged action
User Management:
- users.user.create - authorize user for access to the platform
- users.user.delete - access for user is removed
- users.user.update - any changes in user profile - including name, email address
- users.role.add - grant a specific privilege to a user on the platform
- users.role.remove - revoke a platform privilege from a user
Service Level:
- services.service.create - C Service is installed and enabled
- services.service.delete - a Service is uninstalled
- services.service.update - a Service is updated
Service Instances:
- service_instances.instance.create - a service instance is provisioned
- service_instances.instance.delete - a service instance is unprovisioned
- service_instances.instance.update - a service instance is changed
- service_instances.read - the list of service instances is retrieved
- service_instances.instance.read - a query for the details of one service instance by ID
- service_instances.user.add - grant user access, with a particular role, to a service instance
- service_instances.user.delete - revoke user access from a service instance
- service_instances.user.get - a query to list users with access to a service instance
- service_instances.user.update - change a user’s access role for a service instance
Connections:
- connections.create - add connection
- connections.update – update connection
- connections.delete – delete connection
- connections.read – a query issued to retrieve all connections
- connections.connection.read – a query issued to retrieve one connection’s details by ID
Deployments:
- deployments.delete - delete service deployment
- deployments.read – retrieve service deployment by ID
Sample IBM Cloud Pak for Data CADF Audit Records
Authentication - Failed
Create User - Failed
Delete User - Success
Create Connection - Success
{
"action": "security.authenticate",
"attachments": [
{
"content": {
"kubernetes": {
"contain_id": "crio-140f725c303ece65ed72a3325587dbc39241001c9bacaf28473fa2da5a66e39b.scope",
"contain_name": "ibm-nginx-container",
"namespace": "zen",
"pod": "ibm-nginx-6c4ff4d894-gnl6b"
}
},
"contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
"message": "security.authenticate \"No Credential\" failure",
"name": "ibm-cp-data",
"sourceCrn": "crn:v1:cp4d:private:k8:w/worker1.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:security"
}
],
"eventTime": "2020-03-24T00:30:31.541+0000",
"eventType": "activity",
"id": "icp:73cab988-6b46-4d7c-8e0f-4e81a87e99b9",
"initiator": {
"credential": {
"identity_status": "Denied",
"type": "unknown"
},
"host": {
"address": "9.1.2.3"
},
"id": "unknown",
"name": "unknown",
"typeURI": "security/account/user"
},
"observer": {
"id": "target"
},
"origination": "unknown",
"outcome": "failure",
"reason": {
"reasonCode": 401,
"type": "HTTP"
},
"requestData": {
"path": "/zen/",
"type": "GET"
},
"severity": "critical",
"target": {
"host": {
"address": "10.1.2.3"
},
"id": "crn:v1:cp4d:private:k8:w/worker1.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:security",
"name": "ibm-nginx-6c4ff4d894-gnl6b",
"typeURI": "service/security/authentication"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
}
Create User - Failed
{
"action": "users.user.create",
"attachments": [
{
"content": {
"kubernetes": {
"container_id": "crio-084b607766871e41384e04512b958eb66fd7b93ca4a0c38a1261bc652382554f.scope",
"container_name": "usermgmt-container",
"namespace": "zen",
"node": "worker4.pptr-wrkr9-4.os.fyre.ibm.com",
"pod": "usermgmt-758d588874-4jltx"
},
"message": "users.user.create worker4.pptr-wrkr9-4.os.fyre.ibm.com failure",
"sourceCrn": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt"
},
"contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
"name": "ibm-cp-data"
}
],
"eventTime": "2020-03-24T01:40:37.984+0000",
"eventType": "activity",
"id": "icp:b8bfd642-b2df-4869-9bbf-c72f372fa6af",
"initiator": {
"credential": {
"identity_status": "Denied",
"type": "token"
},
"host": {
"address": "usermgmt-svc:3443",
"agent": "curl/7.29.0"
},
"id": "1000330999",
"name": "admin",
"typeURI": "security/account/user"
},
"observer": {
"id": "target"
},
"origination": "api",
"outcome": "failure",
"reason": {
"reasonCode": 400,
"type": "http"
},
"requestData": {
"path": "/v1/user",
"type": "POST"
},
"responseData": {
"error": {
"_messageCode_": "createUser_fail",
"_statusCode_": 400,
"exception": "[object Object]",
"message": "Adding user record failed"
}
},
"severity": "critical",
"target": {
"host": {
"address": "10.1.2.3"
},
"id": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt",
"name": "usermgmt-758d588874-4jltx",
"typeURI": "service/security/account/user"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
}
Delete User - Success
{
"action": "users.user.delete",
"attachments": [
{
"content": {
"kubernetes": {
"container_id": "crio-084b607766871e41384e04512b958eb66fd7b93ca4a0c38a1261bc652382554f.scope",
"container_name": "usermgmt-container",
"namespace": "zen",
"node": "worker4.pptr-wrkr9-4.os.fyre.ibm.com",
"pod": "usermgmt-758d588874-4jltx"
},
"message": "users.user.delete 1000331001 success",
"sourceCrn": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt"
},
"contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
"name": "ibm-cp-data"
}
],
"eventTime": "2020-03-24T00:29:29.079+0000",
"eventType": "activity",
"id": "icp:053e4159-8b68-43bd-935c-a3625db9b773",
"initiator": {
"credential": {
"identity_status": "Confirmed",
"type": "cookie"
},
"host": {
"address": "9.1.2.3",
"agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36"
},
"id": "1000330999",
"name": "admin"
},
"observer": {
"id": "target"
},
"origination": "ui",
"outcome": "success",
"reason": {
"reasonCode": 200,
"type": "http"
},
"requestData": {
"path": "/api/v1/usermgmt/v1/user/user1",
"type": "DELETE",
"username": "user1"
},
"responseData": {
"uid": "1000331001"
},
"severity": "critical",
"target": {
"host": {
"address": "10.1.2.3"
},
"id": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt",
"name": "usermgmt-758d588874-4jltx",
"typeURI": "service/security/account/user"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
}
Create Connection - Success
{
"action": "connections.create",
"attachments": [
{
"content": {
"kubernetes": {
"container_id": "unknown",
"container_name": "zen-core-api-container",
"namespace": "zen",
"pod": "zen-core-api-86f4bbc668-lmn4t"
},
"message": "connections.create success",
"sourceCrn": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
"subject": {
"asUser": "user1"
}
},
"contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
"name": "ibm-cp-data"
}
],
"eventTime": "2020-03-24T05:55:14Z",
"eventType": "activity",
"id": "icp:415e49e6-addc-49a2-9d4c-174ea8499ab4",
"initiator": {
"credential": {
"identity_status": "Confirmed",
"type": "cookie"
},
"host": {
"address": "9.1.2.3",
"agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36",
"name": "francis95294"
},
"id": "1000331005",
"name": "francis95294",
"typeURI": "security/account/user"
},
"observer": {
"id": "target"
},
"origination": "ui",
"outcome": "success",
"reason": {
"reasonCode": 200,
"reasonType": "HTTP"
},
"requestData": {
"path": "/v2/connections",
"type": "POST"
},
"responseData": {
"post_connection_status": "Success"
},
"severity": "warning",
"target": {
"host": {
"address": "10.1.2.3"
},
"id": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
"name": "zen-core-api-86f4bbc668-lmn4t",
"typeURI": "network/connection"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
}
Create Service Instance User - Success
{
"action": "service_instances.user.add",
"attachments": [
{
"content": {
"kubernetes": {
"container_id": "unknown",
"container_name": "zen-core-api-container",
"namespace": "zen",
"pod": "zen-core-api-86f4bbc668-lmn4t"
},
"message": "service_instances.user.add 1585010153494 1000330999 success",
"sourceCrn": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
"subject": {
"asUser": "admin"
}
},
"contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
"name": "ibm-cp-data"
}
],
"eventTime": "2020-03-24T08:35:03Z",
"eventType": "activity",
"id": "icp:d9270412-1199-43c9-9221-cf631102d09c",
"initiator": {
"credential": {
"identity_status": "Confirmed",
"type": "cookie"
},
"host": {
"address": "9.1.2.3",
"agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36",
"name": "admin"
},
"id": "1000330999",
"name": "admin",
"typeURI": "security/account/user"
},
"observer": {
"id": "target"
},
"origination": "ui",
"outcome": "success",
"reason": {
"reasonCode": 200,
"reasonType": "HTTP"
},
"requestData": {
"instance_id": "1585010153494",
"path": "/v2/serviceInstance/currentUser",
"type": "POST"
},
"responseData": {
"user_id": "1000330999",
"user_name": "admin"
},
"severity": "warning",
"target": {
"host": {
"address": "10.1.2.3"
},
"id": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
"name": "zen-core-api-86f4bbc668-lmn4t",
"typeURI": "service/security/instance/user"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
}
Internal Use Only
Cloud Pak Healer Fingerprint { "conditions": [ \{ "conditionType": "com.ibm.cpd.healer.ErrorInLogCondition", "logNameTrunk": "", "uniqueErrorIdentifyer": "", "errorMessage": "" } ] }
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHGYS","label":"IBM Cloud Pak for Data"},"ARM Category":[{"code":"a8m3p000000UoRbAAK","label":"Audit events"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.0.1;3.5.0;4.0.0;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
22 August 2023
UID
ibm16201850