Authorization Audit Data - PAA
If your deployment contains a hybrid PAA, the authorization data will be audited in your hosted environment and not in the Authorization Platform Audit Store. In each PAA, you will have a PDP service that includes Audit configuration as part of the runtime configuration. According to this configuration, the Audit will be stored in a database and/or collected as syslog using your tool of choice..
The Authorization Platform Audit Report in the PAP UI will not contain the internal PAA audit records, but you can connect to your DB or syslog store and compile reports based on the authorization audit data.
Database
Audit data can be stored in your Postgres database (as a managed service or locally). This data can also be stored in other databases such as Oracle, MSSQL, MySQL, etc.
To configure the Authorization Audit:
- Create a new table.
- Example: For a Postgres database, the structure consists of a single table:
CREATE TABLE authorization_audit (
request_id varchar(2044) NULL,
request text NULL,
response text NULL,
ip varchar(2044) NULL,
client_id varchar(2044) NULL,
entity_id varchar(2044) NULL,
entity_type varchar(2044) NULL,
request_type varchar(2044) NULL,
organization varchar(2044) NULL,
instance_name varchar(2044) NULL,
request_time numeric(20) NULL,
external_request_id varchar(128) NULL,
total_duration numeric(20) NULL
);
CREATE INDEX auth_requests ON authorization_audit USING btree (request_time, entity_id, organization, request_type, external_request_id);
Note: To store Audit data in other database types, the customer will need to prepare their database, have available drivers, and also note that the table structure might be slightly different. For assistance, contact PlainID Support.
- Configure the Runtime Service.
- The runtime service configuration contains an Audit section in which you can configure the authorization audit. You can find the relevant properties in the
runtimesection underextraEnv:
| Property | Default Value | Details |
|---|---|---|
| isDataBaseEnable | False | Audit data is stored in the database if set to true. |
| isSysLogEnable | true | Audit data is sent to syslog if set to true. See the Syslog section below for more information on how to use this property based on your PAA deployment. |
| connection | -- | In the Connection properties for your database, input the following details: - "driverName": "org.postgresql.Driver" - "type": "POSTGRESQL" - "url":"jdbc:postgresql://127.0.0.1:5432/audit" - "user": "..." - "Password": " *** " - If deploying a Secret Manager Service, you can utilize the password from a Secret Store by referring to the Secret Store Syntax. Refer to the Secret Management Configuration article for more information. |
Ensure that the Runtime service can access the database and that the user had writer permissions for the table.
Syslog
If you want to use syslog to collect your Audit data, set true for isSysLogEnable, as mentioned above. Also, you should configure the following syslog parameters:
Standalone PAA Deployment (VM)
To adjust for Standalone PAA Deployment:
- In the
$PLAINID_HOME/runtime/conffolder, open thelog4j.xmlconfiguration file. - Locate and edit the relevant properties:
- Syslog Host and Port
- Syslog Appender:
- Syslog Name
- Host
- Port
- Protocol
Example:
<Property name="syslog-host" value="10.20.11.7" />
<Property name="syslog-port" value="5000" />
...
<Appenders>
<Syslog name="SysLog" host="${syslog-host}" port="${syslog-port}" protocol="UDP"/>
K8s PAA Deployment
To configure the syslog in a K8s environment, you should add to your values-custom.yaml the below section and configure your host, port, and protocol.
runtime:
# Audit runtime calls to syslog
syslog:
enabled: true
host: ""
port: ""
# Supported protocols: UDP
protocol: "UDP"
If the syslog.enabled is set to true, audit records should be collected by your syslog agent and contain a _source section with a message property that includes all the audit record. This will be in a similar structure to the Audit DB Record.