Author: Swaminathan Ramakrishnan

Changes made by users within Anypoint Platform organizations are logged through an audit logging service. The audit logging service provides a queryable history of actions performed within the Anypoint Platform. It keeps track of all users who have interacted with objects in the system and timestamps those actions. It also provides mechanisms for querying the set of users who have performed actions, the set of objects that had actions performed on them, and other endpoints that enable the querying of log entries.

NOTE: Users belonging to the Organization Administrator role or the Audit Log Viewer role on Anypoint Platform have access to both the UI and the Query API.

We will be using the Anypoint Access Management API for logging in to anypoint platform and  Audit Log Query API v2 to pull the audit logs from Anypoint platform.

Prerequisites:

  1. Anypoint Platform Trial Account
  2. Splunk Enterprise Trial Account

Retrieve Audit Logs from Anypoint Platform

Below is the Mule flow to retrieve audit logs from Anypoint Platform:

The flow is triggered by a scheduler.

The timestamp of the last activity on the Anypoint Platform is stored in the object store – for initial run a default date is set. The Audit Log Query API fetches 200 records per request.

The cache key variable is set to cache the login to Anypoint Platform.

To retrieve the audit logs: 

METHOD: POST
		Endpoint: http://anypoint.mulesoft.com/accounts/login
		Payload:
 {   "username": <Anypoint-username>,
     "password": <Anypoint-password>
}
  • Retrieve Logs

The access token received in the response of previous step is passed as authorization header to the Audit Log Query API v2.

Method: POST
Endpoint: http://anypoint.mulesoft.com/audit/v2/organizations/<Org-ID>/query
Payload:
 {
	"startDate": <lastFetchedDate>
}

Note: The OrgID is Organization Id which can be seen at Access Management-> Organization in Anypoint Platform.

lastFetchedDate is the object store value which is retrieved at the beginning of the flow.

To Push Audit Logs to Splunk:

Go to settings-> Data Inputs-> Http Event Collector-> Add New

Provide the Token Name and Click on Next

In the input settings, provide source type by selecting the type as _json from dropdown.

Add the necessary Splunk indexes and click on Review.

Review and Submit.

Navigate to Settings-> Data Inputs-> Http Event collector

Enable the tokens in  Global settings-> All Tokens -> Enabled

Add a Http Request in Mule code and configure as below:

METHOD: POST

URL: http://localhost:8088/services/collector/raw

Headers: 

Authorization: “Splunk <Splunk-token>”

Content-Type: application/json

Run the Mule application and login to Splunk http://localhost:8000/

Note: The data above does not represent the actual audit log format or data. It is a sample json.

Leave a Comment