Home / Kong Gateway
Edit
Report

Kong Gateway audit logs

Uses: Kong Gateway
Related Documentation
All Gateway Documentation
Incompatible with
konnect
Tags
#logging #audit-logging
Related Resources
Secure Kong Gateway
Kong Gateway logs
Konnect platform audit logs
Sign Kong Gateway audit logs with an RSA key

You can generate Kong Gateway audit logs using the Admin API. Audit logs provide details about:

  • HTTP requests handled by the Admin API
  • Database changes

This allows cluster administrators to keep track of changes made to the cluster configuration throughout its lifetime, aiding in compliance efforts and providing valuable data points during forensic investigations.

Because every audit log entry is made available via Kong Gateway’s Admin API, you can send audit log entries into existing logging warehouses, SIEM solutions, or other remote services for duplication and inspection.

What type of events are included in audit logs?

Kong Gateway includes details about the following in audit logs:

Event

Fields

Endpoint

Description
RBAC rbac_user_id
rbac_user_name 		/audit/requests When RBAC is enforced, the RBAC user’s UUID will be written to the rbac_user_id field in the audit log entry, and the username will be written to the rbac_user_name field.
Workspace workspace /audit/requests The workspace field is the UUID of the Workspace with which the request is associated.
Kong Manager login "request_source": "kong-manager"
"method": "GET", "path": "/auth" 		/audit/requests The request_source field tells you that the action occurred in Kong Manager, and the GET method and /auth path indicate a login event.
Kong Manager logout "request_source": "kong-manager"
"method": "DELETE", "path": "/auth?session_logout=true" 		/audit/requests The DELETE method and /auth?session_logout=true path indicate a logout event.
Database entity changes payload (contains changed objects)
request_id 		/audit/objects Entries for all insertions, updates, and deletions to the cluster database. Database update audit logs are also associated with Admin API request unique IDs. Object audit entries contain information about the entity updated, including the entity body itself, its database primary key, and the type of operation performed (create, update, or delete). It’s also associated with the request_id field.

Enable audit logging

Audit logging is disabled by default. Configure it with the audit_log Kong Gateway configuration in kong.conf:

audit_log = on

Or via environment variables:

export KONG_AUDIT_LOG=on

As with other Kong configurations, changes take effect on kong reload or kong restart.

Disable audit logging for certain methods, paths, or database entities

You may want to ignore audit log generation for certain Admin API requests, such as requests to the /status endpoint for health checking, or to ignore requests to a specific path prefix, for example, a given Workspace. You can use the following configuration options in kong.conf:

Parameter Description
audit_log_ignore_methods

Comma-separated list of HTTP methods that will not generate audit log entries. By default, all HTTP requests will be logged.
audit_log_ignore_paths

Comma-separated list of request paths that will not generate audit log entries. By default, all HTTP requests will be logged.

For example, if you set audit_log_ignore_methods = GET,OPTIONS, you won’t get any audit log entries for GET or OPTIONS requests.

The values of audit_log_ignore_paths are matched via a Perl-compatible regular expression.

For example, when you configure audit_log_ignore_paths = /foo,/status,^/services,/routes$,/one/.+/two,/upstreams/, the following request paths don’t generate an audit log entry in the database:

  • /status
  • /status/
  • /foo
  • /foo/
  • /services
  • /services/example/
  • /one/services/two
  • /one/test/two
  • /routes
  • /plugins/routes
  • /one/routes/two
  • /upstreams/
  • bad400request

The following request paths generate an audit log entry in the database:

  • /example/services
  • /routes/plugins
  • /one/two
  • /routes/
  • /upstreams

As with request audit logs, you may want to skip generation of audit logs for certain database tables:

Parameter Description
audit_log_ignore_tables

Comma-separated list of database tables that will not generate audit log entries. By default, updates to all database tables will be logged (the term “updates” refers to the creation, update, or deletion of a row).

For example, audit_log_ignore_tables = consumers would skip generating audit logs for changes to the Consumers table.

Audit log retention

Audit log records are kept in the database for a duration defined by the audit_log_record_ttl Kong Gateway configuration property. Records in the database older than the seconds configured in audit_log_record_ttl are automatically purged.

PostgreSQL purges records via the stored procedure that is executed on insert into the record database. Therefore, request audit records may exist in the database longer than the configured TTL if no new records are inserted to the audit table following the expiration timestamp.

Sign audit logs with a private RSA key

To provide non-repudiation, audit logs may be signed with a private RSA key by using audit_log_signing_key. When enabled, a lexically sorted representation of each audit log entry is signed by the defined private key, and the signature is stored in an additional field within the record itself. The public key should be stored elsewhere and can be used later to validate the signature of the record. For more information, see Sign Kong Gateway audit logs with an RSA key.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support