# Configure Audits ## Prerequisites 1. An existing Grey Matter deployment running on Kubernetes ([tutorial](https://greymatter.gitbook.io/grey-matter-documentation/1.3/installation/installation-kubernetes)) 2. `kubectl` or `oc` setup with access to the cluster 3. `greymatter` cli [setup](https://greymatter.gitbook.io/grey-matter-documentation/1.3/installation/commands-cli) with access to the deployment 4. An [ELK stack](https://greymatter.gitbook.io/grey-matter-documentation/1.3/guides/security-guides/audits/elk-stack) or a running [Kafka](https://kafka.apache.org/) cluster that is reachable from your Grey Matter deployment. ## Steps ### 1. Enable the observables filters Choose a running Grey Matter sidecar to configure audits on. Get the `listener_key` for its ingress listener (run `greymatter list listener | grep listener_key` to see all keys), and run the following to enable the observables filter: ```bash greymatter edit listener ``` Add `"gm.observables"` to the existing list of `active_http_filters`. Change the `topic` field of the following configuration to your service name and add it to the `http_filters` map, so that the listener object looks like: ```bash ... "active_http_filters": [..., "gm.observables"], "http_filters": { ... "gm_observables": { "useKafka": true, "topic": "", "eventTopic": "greymatter", "kafkaServerConnection": "kafka-observables.observables.svc:9092" } } ``` Save to apply. See the [observables filter documentation](https://greymatter.gitbook.io/grey-matter-documentation/1.3/reference/api/fabric-api/filters/http/gm-observables#filter-configuration-options) for all configuration options. > Note: If you are pointing at a Kafka cluster not configured with the [ELK stack guide](https://greymatter.gitbook.io/grey-matter-documentation/1.3/guides/security-guides/audits/elk-stack), replace the `kafkaServerConnection` with the correct address for your servers. ### 2. Test and verify Make a request to the service on which you enabled the observables filter. In the service logs, you should see: ```bash INF Message publishing to Kafka Encryption= EncryptionKeyID=0 Filter=Observables Topic= ``` Then, you can move on to [visualize audits in the Kibana dashboard](https://greymatter.gitbook.io/grey-matter-documentation/1.3/guides/security-guides/audits/visualize-audits), or if you would like to view the audits using a kafka consumer, continue [below](#view-observables-in-kafka). #### View Observables in Kafka To spin up a Kafka consumer, run: ```bash kubectl run kafka-observables-client --rm --tty -i --restart='Never' --image docker.io/bitnami/kafka:2.4.0-debian-9-r22 --namespace observables --command -- bash ``` From within the client, run the following to view the existing audits: ```bash kafka-console-consumer.sh --topic greymatter --from-beginning --bootstrap-server kafka-observables.observables.svc:9092 ``` There you can see the audits. To see a break down of the structure, check out the [usage documentation](https://greymatter.gitbook.io/grey-matter-documentation/1.3/usage/security/auditing). ## Next Steps Have your audits configured? Take the next step and learn how to [visualize your audit data](https://greymatter.gitbook.io/grey-matter-documentation/1.3/guides/security-guides/audits/visualize-audits). {% content-ref url="visualize-audits" %} [visualize-audits](https://greymatter.gitbook.io/grey-matter-documentation/1.3/guides/security-guides/audits/visualize-audits) {% endcontent-ref %} ## Questions {% hint style="success" %} **Need help configuring audits?** Create an account at [Grey Matter Support](https://support.greymatter.io/support/home) to reach our team. {% endhint %}