Visualize Audits

Visualize audit data from Grey Matter using Kibana.

This guide will help you leverage the Kibana dashboard to visualize your Grey Matter audit data.

Prerequisites

To complete this tutorial, you’ll need an understanding of, and local access to the following environments and tools:

• Unix/Linux setup

• Microservices and mesh architecture

• Grey Matter Sidecar - v0.7.2+

• Grey Matter Discovery Service -v2.0.2

• How to configure the Grey Matter Sidecar

• Docker (https://docs.docker.com/install/) - v17.03 and newer

• Docker Compose (https://docs.docker.com/compose/install/)

• Kafka - v2.12-0 - 10.2.1

• Elasticsearch

• Kibana

• Configure Audits

Step 1: Configure Audits

If you haven't already done so, complete our guide to help you configure audits with the Grey Matter Sidecar.

Configure Audits

When you've completed that guide, proceed to Step 2: Audit Proxy Observable Consumer (APOC).

Step 2: Audit Proxy Observable Consumer (APOC)

The Audit Proxy Observable Consumer (APOC) reads from Kafka and submits the information to Elasticsearch asynchronously for maximum throughput.

APOC's goals include:

• Listening to given Kafka topic(s)

• Taking every event that is emitted into Kafka

• Transforming those events

• Submitting them to a given Elasticsearch index

Message Transformation

When a message is transformed by the APOC, event mappings are also added. The message will default to the following HTTP types found below:

{"GET": "ACCESS",
               "POST": "CREATE",
               "DELETE": "REMOVE",
               "PUT": "MODIFY"}

The message can also be changed for individual routes by adding the following settings:

EVENT_TYPE_MAPPINGS:
 GET:
   - uri: "/activities"
     eventType: "EventSearchQry"
 POST:
   - uri: "/analyses/pos"
     eventType: "EventAccess"

During the transformation action_locations are added to the audit event. These consist of an IP address identifier based on the x-forwarded-for in the header of the request.

action_targets is added consisting of {x=forwarded-proto}://{:authority}{x-envoy-original-path}.

Determine Value of Creator

A creator is then added to the auditing payload, and follows these steps to determine its value.

• Allow for configuring an override default to that in the environment variable or settings.yaml or JSON.

• If there is a request header named application , use it.

• See if there is a request header named service , use it.

• Extrapolate the name if the request url contains /apps/{value}/ or /services/{value}/ x-envoy-original-path.

• Hard code a default. For instance, you could use service if none of the previous parameters are set.

In this configuration, the transformation will try to find user information in the request header and set action_initiator to be the userdn from the request. time_audited is also added to the audit information. This is the system time at which the audit transformation is completed by the APOC. Finally, if a GEO_DATABASE is supplied, the transformation will try to find the geographical location of the request based on the last IP address in the x_forwarded_for header field. The full information is added to the audit information as geo_ip, but basic location (lat and long) is added as location.

Questions?

Need help getting a dashboard up so you can visualize observables?

Create an account at Grey Matter Support to reach our team.