This article explains how to route audit events for Aqua Enforcers that are not connected to an Aqua Console or Aqua Gateway.
Aqua's logging integrations are performed on the Aqua Console, with audit events collected from the Enforcer by the Aqua Gateway. If the Enforcer is not configured to talk to a Gateway, such as for standalone deployment, then the default configuration will keep all audit events in the Aquasec audit directory (default to /opt/aquasec/audit). This is problematic for hosts with a longer life cycle, as the accumulation of logs may eventually use all of the available disk space on the filesystem Aqua is installed upon.
To route these logs elsewhere, the Aqua enforcer can be configured to talk to syslog or to the System journal instead of routing the audit events to the Aqua gateway. While the Enforcer will not talk directly to the same logging integration as the Aqua Console, most of these log collectors will have some ability to collect other logs from hosts, such as through syslog functionality.
This can be done during the Enforcer installation by adding an environment variable to the Aqua Enforcer installation container. The variable name is AQUA_AUDIT_LOGGER. The value can be either 'syslog' for syslog, or 'journal' for the journal.
If the Enforcer has already been installed, you can modify a running agent's destination by using the 'slk' command (default location is /opt/aquasec/slk) as the root user to reconfigure the logger to either syslog or journal:
sudo /opt/aquasec/slk config --audit-logger syslog
Did you find it helpful?Send feedback