Contact UsGet started

Uploading audit logs to SIEM KUMA

Written by
Updated at December 16, 2024

In this tutorial, you will create an Audit Trails trail that will provide audit logs to the KUMA collector.

The solution described in the tutorial works as follows:

  1. A trail uploads logs to an Yandex Object Storage bucket with encryption enabled.
  2. The bucket is mounted as a part of the file system on the server with the KUMA collector installed.
  3. The KUMA collector receives event data from the mounted bucket and forwards it for processing.

To configure delivery of audit log files to KUMA:

  1. Prepare your cloud.
  2. Prepare the environment.
  3. Create a bucket.
  4. Create a trail.
  5. Mount the bucket on a server.
  6. Configure the KUMA collector.

If you no longer need the resources you created, delete them.

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of support for a new Yandex Cloud infrastructure includes:

In addition, to complete the tutorial you will need a KUMA user license (not supplied by Yandex Cloud).

Prepare the environment

Create service accounts

The infrastructure you are creating will require two service accounts: one for the Object Storage bucket, the second for the trail in Audit Trails.

To create the service accounts:

  1. In the management console, go to the folder you want to create an infrastructure in.
  2. In the list of services, select Identity and Access Management.
  3. Click Create service account.
  4. Enter a name of the service account for the bucket: kuma-bucket-sa.
  5. Click Create.
  6. Repeat steps 3-5 to create the kuma-trail-sa service account for the trail.

Create a static access key

To mount the bucket on a server with a KUMA collector installed, create a static access key for the kuma-bucket-sa service account:

  1. In the management console, go to the folder you want to create an infrastructure in.

  2. In the list of services, select Identity and Access Management.

  3. In the left-hand panel, select Service accounts.

  4. Select the kuma-bucket-sa service account.

  5. In the top panel, click Create new key and select Create static access key.

  6. Specify the key description and click Create.

  7. Save the ID and secret key: you will need them later when mounting the bucket on the server.

    Alert

    After you close the dialog, the key value will become unavailable.

Create an encryption key

To create a new symmetric encryption key:

  1. In the management console, go to the folder you want to create an infrastructure in.

  2. In the list of services, select Key Management Service.

  3. In the left-hand panel, select Symmetric keys.

  4. Click Create key and set the key attributes:

    • Name: kuma-key.
    • Encryption algorithm, e.g. AES-256.

  5. Click Create.

Assign roles to the service accounts

  1. To assign roles for a folder to service accounts:

    1. In the management console, go to the folder you want to create an infrastructure in.

    2. Go to the Access bindings tab.

    3. Click Configure access.

    4. In the window that opens, select Service accounts.

    5. Select the kuma-trail-sa service account from the list, use the search if required.

    6. Click Add role; in the window that opens, select the audit-trails.viewer role.

      Repeat this step and add the storage.uploader role.

    7. Click Save.

    8. Repeat steps 3-7 to assign the storage.viewer role for the folder to the kuma-bucket-sa service account.

  2. To assign the kms.keys.encrypterDecrypter role for the encryption key created earlier to the service accounts:

    1. In the management console, go to the folder you want to create an infrastructure in.
    2. In the list of services, select Key Management Service.
    3. In the left-hand panel, select Symmetric keys and click on the line with kuma-key.
    4. Go to Access bindings and click Assign bindings.
    5. Select the kuma-trail-sa service account.
    6. Click Add role and select the kms.keys.encrypterDecrypter role.
    7. Click Save.
    8. Repeat steps 3-7 to assign the kms.keys.encrypterDecrypter role for the encryption key to the kuma-bucket-sa service account.

Create a bucket

To create a bucket for the trail to save audit logs to:

  1. In the management console, go to the folder you want to create an infrastructure in.

  2. In the list of services, select Object Storage.

  3. At the top right, click Create bucket.

  4. In the ** Name** field, enter a name for the bucket, e.g., my-audit-logs-for-kuma.

    Note

    Bucket names must be unique throughout Object Storage, which means you cannot create two buckets with the same name even in different folders belonging to different clouds.

  5. In the Max size field, set the size of the bucket you are creating or enable No limit.

  6. Leave all other parameters as they are and click Create bucket.

  7. On the page with a list of buckets that opens, select the new bucket.

  8. In the left-hand menu, select Securityand go to the Encryption tab.

  9. In the KMS Key field, select the previously created kuma-key.

  10. Click Save.

Create a trail

To create a trail:

  1. In the management console, go to the folder you want to create an infrastructure in.

  2. Select Audit Trails.

  3. In the window that opens, click Create trail:

    1. In the Name field, enter a name for the trail: kuma-trail.

    2. Under Destination, configure the destination object:

      • Destination: Object Storage.
      • Bucket: Bucket you created earlier, e.g., my-audit-logs-for-kuma.
      • Object prefix: Optional parameter used in the full name of the audit log file.

      Note

      Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.

    3. Make sure the Encryption key field contains the encryption key named kuma-key. If the encryption key is not set, click Add and select this key.

    4. Under Collecting management events, configure the collection of management event audit logs:

      • Collecting events: Select Enabled.
      • Resource: Select Folder.
      • Folder: Automatically populated field containing the name of the current folder.

    5. Under Service account above, select the kuma-trail-sa service account.

    6. Under Collecting data events, keep the Disabled value.

    7. Click Create.

Mount the bucket on a server

Perform this action on the server you are going to install the KUMA collector on. As a server, you can use a Yandex Compute Cloud VM or your own hardware. In this tutorial, we will use a Compute Cloud VM.

To mount the bucket on a server:

  1. Create a virtual machine from the Ubuntu 22.04 LTS public image.

  2. Connect to the VM via SSH or OS Login.

  3. Create a new user named kuma:

    sudo useradd kuma

  4. Create the kuma user's home directory:

    sudo mkdir /home/kuma

  5. Create a file with a static access key and grant permissions for it to the kuma user:

    sudo bash -c 'echo <access_key_ID>:<secret_access_key> > /home/kuma/.passwd-s3fs'
sudo chmod 600 /home/kuma/.passwd-s3fs
sudo chown -R kuma:kuma /home/kuma

    Where <access_key_ID> and <secret_access_key> are the previously saved values ​​of the static access key of the kuma-bucket-sa service account.

  6. Install the s3fs package:

    sudo apt install s3fs

  7. Create a directory that will serve as a mount point for the bucket and grant permissions for it to the kuma user:

    sudo mkdir /var/log/yandex-cloud/
sudo chown kuma:kuma /var/log/yandex-cloud/

  8. Mount the bucket you created earlier by specifying its name:

    sudo s3fs <bucket_name> /var/log/yandex-cloud \
  -o passwd_file=/home/kuma/.passwd-s3fs \
  -o url=https://storage.yandexcloud.net \
  -o use_path_request_style \
  -o uid=$(id -u kuma) \
  -o gid=$(id -g kuma)

    You can configure automatic mounting of the bucket at operating system start-up by opening the /etc/fstab file (sudo nano /etc/fstab command) and adding the following line to it:

    s3fs#<bucket_name> /var/log/yandex-cloud fuse _netdev,uid=<kuma_uid>,gid=<kuma_gid>,use_path_request_style,url=https://storage.yandexcloud.net,passwd_file=/home/kuma/.passwd-s3fs 0 0

    Where:

    • <bucket_name>: Name of the bucket you created earlier, e.g., my-audit-logs-for-kuma.

    • <kuma_uid>: kuma user ID in the VM operating system.

    • <kuma_gid>: kuma user group ID in the VM operating system.

      To learn <kuma_uid> and <kuma_gid>, run the id kuma command in the terminal.

  9. Make certain that the bucket is mounted:

    sudo ls /var/log/yandex-cloud/

    If everything is configured correctly, the command will return the current contents of the audit event bucket.

The Yandex Cloud event transfer setup is complete. The events will reside in JSON files located at:

/var/log/yandex-cloud/{audit_trail_id}/{year}/{month}/{day}/*.json

Configure the KUMA collector

For this step, you will need the distribution and license files included with KUMA. Use them to install and configure the collector in the KUMA network infrastructure. For more information, see this guide.

Once the setup is successfully completed, audit events will start being delivered to KUMA. The KUMA web interface allows you to search for related events.

How to delete the resources you created

To stop paying for the resources you created:

  • Delete the trail.
  • Delete all objects in the bucket, then delete the bucket itself.
  • Delete the KMS encryption key.
  • Delete the service accounts.
  • Delete the VM if you had created one.
Previous
Uploading audit logs to ArcSight SIEM
Next
Overview