TYK oss how to enable Audit logs

santosh_verma · July 22, 2024, 8:14pm

I’m using TYK oss version with tyk operator. I have done my installation through Helm. I’m looking to track the audit logs of TYK gateway so that I can check the security related events and important action and changes to API. I have to separate this audit logs from regular logs. Need help to understand the needful configuration changes?

Olu · July 27, 2024, 2:42pm

@santosh_verma Hello and welcome to the community

I am not aware we have audit logs for the gateway component. Our docs talk about audit logs in relation to the Dashboard or Developer Portal.

Let us know if this is what you are looking for

santosh_verma · August 11, 2024, 4:12am

Thanks @Olu for your reply,
Basically, we want to track all audit trail of important actions and changes to the API, including Authorization , access control changes. Do you mean we can not track this on gateway component ?
Well … As a next step I have Installed TYK pump and now trying to integrate with Splunk. So that we can push all logs ( will add filters later ) to Splunk. but as of now getting below error in Splunk

" time=“Aug 11 03:57:07” level=warning msg=“Error Writing to: Splunk Pump - Error:got status code 400 and response ‘{"text":"Data channel is missing","code":10}’” prefix=main"

Note: I have installed TYK on GKE cluster and with below env variables:
- name: TYK_PMP_PUMPS_SPLUNK_TYPE
value: “splunk”
- name: TYK_PMP_PUMPS_SPLUNK_META_COLLECTORTOKEN
value: “xxxxxxxxxxxxxxxxxxxx”
- name: TYK_PMP_PUMPS_SPLUNK_META_COLLECTORURL
value: “xxxxxxxxxx:8088”
- name: TYK_PMP_PUMPS_SPLUNK_META_SSLINSECURESKIPVERIFY
value: “true”

Can you please help to understand and resolve this issue ?

santosh_verma · August 11, 2024, 6:08pm

Hi @Olu , You may ignore the above 400 error. That was resolved when I uncheck the “Enable indexer acknowledgement” from Splunk HEC side.

Olu · September 2, 2024, 4:37pm

Sorry for the late reply. I was on holiday.

The gateway doesn’t have an audit log feature. You may be able to retrieve some of the details you are looking for in a debug/verbose log of the interactions on the gateway but I’m afraid, that’s about it. Unless you are interested in modifying the gateway source yourself and implementing this.

santosh_verma:

Well … As a next step I have Installed TYK pump and now trying to integrate with Splunk. So that we can push all logs ( will add filters later ) to Splunk. but as of now getting below error in Splunk

" time=“Aug 11 03:57:07” level=warning msg=“Error Writing to: Splunk Pump - Error:got status code 400 and response ‘{“text”:“Data channel is missing”,“code”:10}’” prefix=main"

Note: I have installed TYK on GKE cluster and with below env variables:

name: TYK_PMP_PUMPS_SPLUNK_TYPE
value: “splunk”

name: TYK_PMP_PUMPS_SPLUNK_META_COLLECTORTOKEN
value: “xxxxxxxxxxxxxxxxxxxx”

name: TYK_PMP_PUMPS_SPLUNK_META_COLLECTORURL
value: “xxxxxxxxxx:8088”

name: TYK_PMP_PUMPS_SPLUNK_META_SSLINSECURESKIPVERIFY
value: “true”

Can you please help to understand and resolve this issue ?

Is this still an issue or was the only blocker and error the 400 error?