Home / How-to Guides
Edit
Report

Collect Konnect audit logs

Uses: Kong Gateway AI Gateway Konnect API
Incompatible with
on-prem
Related Documentation
Gateway Documentation
Tags
#security #logging #audit-logging
Related Resources
Konnect audit logs
Recover Konnect audit logs
Configure an HTTPS data collection endpoint in SumoLogic
Collect Dev Portal audit logs
Minimum Version
Kong Gateway - 3.4
TL;DR

Create an HTTPS data collection endpoint and access key in your SIEM provider and save their values. Configure the audit log webhook endpoint (/audit-log-webhook) in Konnect with the provider endpoint (endpoint), the access key (authorization), and set log_format: cef and enabled: true.

This tutorial uses SumoLogic, but you can apply the same steps to your provider.

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'

  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'

    Copy and paste these into your terminal to configure your session.

SumoLogic SIEM provider

To use the audit log webhook, you need a configured SIEM provider. In this tutorial, we’ll use SumoLogic, but you can use any SIEM provider that supports the ArcSight CEF Format or raw JSON. Konnect supports any HTTP authorization header type.

Before you can push audit logs to your SIEM provider, configure the service to receive logs. This configuration is specific to your vendor.

In this tutorial, we’ll configure an HTTPS data collector and source in SumoLogic.

  1. In the SumoLogic sidebar, click Data Management > Collection.
  2. Click Add Collector.
  3. Click Hosted Collector.
  4. In the Name field, enter Konnect.
  5. When prompted to add a new data source to the collector, click OK.
  6. Select HTTP Logs & Metrics.
  7. In the Name field, enter Konnect.
  8. Click OK.
  9. Copy and export the SumoLogic endpoint URL in terminal: 
    export SIEM_ENDPOINT='YOUR-SIEM-HTTP-ENDPOINT'
  10. In the SumoLogic sidebar, click Administration > Account Security Settings > Access Keys to create an access key.
  11. Click Add Access Key.
  12. In the Name field, enter Konnect.
  13. Click Save.
  14. Export the access key as an environment variable in your terminal: 
    export SIEM_TOKEN='YOUR-ACCESS-KEY'
  15. Click Done.

If needed, configure your network’s firewall settings to allow traffic through the 8071 TCP or UDP port that Konnect uses for audit logging. See the Konnect ports and network requirements.

Set up the audit log destination

Now that you have an external endpoint and authorization credentials, you can set up a webhook in Konnect.

Create an audit log destination by sending a POST request to the /audit-log-destinations endpoint with the connection details for your SIEM vendor:

 curl  -X POST "https://global.api.konghq.com/v3/audit-log-destinations" \
     --no-progress-meter --fail-with-body  \
     -H "Authorization: Bearer $KONNECT_TOKEN"\
     -H "Authorization: Bearer $KONNECT_TOKEN"\
     -H "Content-Type: application/json" \
     --json '{
       "endpoint": "'$SIEM_ENDPOINT'",
       "authorization": "'$SIEM_TOKEN'",
       "log_format": "cef",
       "name": "Example destination"
     }'

Export the ID of the new destination to your environment:

export DESTINATION_ID='YOUR DESTINATION ID'

Enable the webhook on Konnect

Create a webhook by sending a PATCH request to the /audit-log-webhook endpoint with the audit log destination:

 curl  -X PATCH "https://us.api.konghq.com/v3/audit-log-webhook" \
     --no-progress-meter --fail-with-body  \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "audit_log_destination_id": "'$DESTINATION_ID'",
       "enabled": true
     }'

Webhooks are triggered via an HTTPS request using the following retry rules:

  • Minimum retry wait time: 1 second
  • Maximum retry wait time: 30 seconds
  • Maximum number of retries: 4

A retry is performed on a connection error, server error (500 HTTP status code), or too many requests (429 HTTP status code).

Validate

To validate that the webhook is configured correctly, send an API request using the Konnect API:

 curl  -X GET "https://us.api.konghq.com/v2/control-planes" \
     --no-progress-meter --fail-with-body  \
     -H "Authorization: Bearer $KONNECT_TOKEN"

This should trigger a log in SumoLogic. Sometimes it can take a minute to populate the logs.

In the SumoLogic UI, navigate to the log search and search for _source=Konnect.

You should see logs like the following:

2025-06-18T21:02:36Z konghq.com CEF:0|KongInc|Konnect|1.0|konnect|Authz.control-planes|1|rt=1750280466889 src=127.0.0.6 action=list granted=true org_id=777db3e4-5cb7-4dd5-b51c-9878096a6999 principal_id=eb999f01-5976-4f4b-9fbc-dd5d514bd675 trace_id=3959872677347089807 user_agent=grpc-node-js/1.12.4 sig=KbLaBhQFnggT_8CyC95b777R1_fGvvLVDn7awjZK8eZLdGPrSvnS-sxJw63j930eKr-VTsQv8-TQTD_GVmAPAQ

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support