Anypoint Audit Logs to Splunk
Author: Swaminathan Ramakrishnan
Changes made by users within Anypoint Platform organizations are logged through an audit logging service. The audit logging service provides a queryable history of actions performed within the Anypoint Platform. It keeps track of all users who have interacted with objects in the system and timestamps those actions. It also provides mechanisms for querying the set of users who have performed actions, the set of objects that had actions performed on them, and other endpoints that enable the querying of log entries.
NOTE: Users belonging to the Organization Administrator role or the Audit Log Viewer role on Anypoint Platform have access to both the UI and the Query API.
We will be using the Anypoint Access Management API for logging in to anypoint platform and Audit Log Query API v2 to pull the audit logs from Anypoint platform.
Prerequisites:
- Anypoint Platform Trial Account
- Splunk Enterprise Trial Account
Retrieve Audit Logs from Anypoint Platform
Below is the Mule flow to retrieve audit logs from Anypoint Platform:
The flow is triggered by a scheduler.
The timestamp of the last activity on the Anypoint Platform is stored in the object store – for initial run a default date is set. The Audit Log Query API fetches 200 records per request.
The cache key variable is set to cache the login to Anypoint Platform.
To retrieve the audit logs:
- Login to Anypoint Platform using the REST API Anypoint Access Management API
METHOD: POST
Endpoint: http://anypoint.mulesoft.com/accounts/login
Payload:
{ "username": <Anypoint-username>,
"password": <Anypoint-password>
}
- Retrieve Logs
The access token received in the response of previous step is passed as authorization header to the Audit Log Query API v2.
Method: POST
Endpoint: http://anypoint.mulesoft.com/audit/v2/organizations/<Org-ID>/query
Payload:
{
"startDate": <lastFetchedDate>
}
Note: The OrgID is Organization Id which can be seen at Access Management-> Organization in Anypoint Platform.
lastFetchedDate is the object store value which is retrieved at the beginning of the flow.
To Push Audit Logs to Splunk:
Go to settings-> Data Inputs-> Http Event Collector-> Add New
Provide the Token Name and Click on Next
In the input settings, provide source type by selecting the type as _json from dropdown.
Add the necessary Splunk indexes and click on Review.
Review and Submit.
Navigate to Settings-> Data Inputs-> Http Event collector
Enable the tokens in Global settings-> All Tokens -> Enabled
Add a Http Request in Mule code and configure as below:
METHOD: POST
URL: http://localhost:8088/services/collector/raw
Headers:
Authorization: “Splunk <Splunk-token>”
Content-Type: application/json
Run the Mule application and login to Splunk http://localhost:8000/
Note: The data above does not represent the actual audit log format or data. It is a sample json.