Audit Stream

Audit streaming provides enterprise-tier customers with the ability to stream their audit events to their chosen security information and event management (SIEM) solution.

Configure Audit Stream

You can configure the audit stream from the Audit page in the Configuration area. Click Stream Audit Log to open the configuration dialog.

Currently we support streaming to OpenTelemetry (OTLP) compatible providers as well as directly to Splunk and Sumo Logic.

Streaming to OpenTelemetry (OTLP)

Refer to your SIEM solution’s documentation on how to set up collection via OpenTelemetry. Some providers may support OTLP directly, while others recommend hosting your own OpenTelemetry Collector and use one of the exporters to forward the data to the SIEM.

Once you have set up the collector, you will need to provide the connection details in Octopus:

• OpenTelemetry Endpoint URL - The collection endpoint. In most cases you will need to append /v1/logs to the url
• OTLP Protocol - The protocol to use, HTTP/protobuf (also known as OTLP/HTTP) or gRPC
• Secret - The authentication token to use, see below
• Header - Any HTTP headers that are required by the collector

There is no standard authentication mechanism for OpenTelemetry, so it has to be configured to suit the collector. If there is no authentication, leave the Secret blank. You can use the #{Secret} replacement token to insert the secret into the URL or the header values.

Common configurations are:

• Token in the URL - Remove the token from the URL and replace it with #{Secret}. Place the token into the Secret field.
• Custom Header - Add a header with the required key and value of #{Secret}
• Bearer Authentication - Add a header with key Authorization and value Bearer #{Secret} or Bearer #{Secret | ToBase64} if the secret needs to be Base64 encoded

Streaming to Splunk

An HTTP Event Collector is required to stream audit events to Splunk. See the Splunk documentation for how to set up an HTTP Event Collector. Once you have set up a collector, you will need to provide two configuration values in Octopus:

• Splunk Endpoint URL: The base URL of your Splunk instance
• Token: The Token Value of your HTTP Event Collector

Streaming to Sumo Logic

An HTTP Logs and Metrics Source is required to stream audit events to Sumo Logic. See the Sumo Logic documentation for how to set up an HTTP Logs and Metrics Source. Once you have set up a collector, you will need to provide a single configuration value in Octopus:

• Sumo Logic Endpoint URL: The URL of your HTTP Source. This is treated as a sensitive value as the token for the collector is included in the URL

Updating the Audit Stream

Once you have saved an initial configuration of the audit stream, the status on the UI will update to reflect that streaming is now enabled. Any new audit events will also be streamed to your SIEM solution.

You can change the audit stream configuration by clicking Stream Audit Log again. This will open a pop-up menu with the following options:

• Edit: You can select a different SIEM provider or make changes to the configured endpoint.
• Pause/Resume: You can pause audit streaming, preventing any new audit events from being streamed to the configured endpoint. This will show as Resume if the audit stream is already paused.
• Delete: You can delete the audit stream configuration, which will clear any data relating to the audit stream and prevent any new audit events from being streamed.

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Sunday, January 1, 2023