Publish audit logs to HTTP webhook

AIStor supports publishing audit logs to one or more configured remote webhook receivers. AIStor send an event for each API operation to the receiver for processing and storage.

The receiver is responsible for correctly processing events, including returning 200OK or similar success messages upon receipt of the event. AIStor cannot recover events that were successfully sent but not correctly stored on the receiver.

You can configure a new HTTP audit webhook endpoint using either environment variables or runtime configuration settings:

Environment Variable

You can use environment variables to configure one or more webhook receivers.

The following example code block displays all environment variables related to publishing audit logs to a webhook. Commented variables (lines starting with a #) are optional. Add these environment variables to the /etc/default/minio environment file on all AIStor nodes.

MINIO_AUDIT_WEBHOOK_ENABLE="on"
MINIO_AUDIT_WEBHOOK_ENDPOINT="https://webhook-1.example.net"
#MINIO_AUDIT_WEBHOOK_AUTH_TOKEN="TOKEN"
#MINIO_AUDIT_WEBHOOK_BATCH_SIZE=10
#MINIO_AUDIT_WEBHOOK_CLIENT_CERT="/opt/minio/webhook/public.cert"
#MINIO_AUDIT_WEBHOOK_CLIENT_KEY="/opt/minio/webhook/private.key"
#MINIO_AUDIT_WEBHOOK_MAX_RETRY=5
#MINIO_AUDIT_WEBHOOK_RETRY_INTERVAL=10
#MINIO_AUDIT_WEBHOOK_PROXY="https://proxy.example.net"
#MINIO_AUDIT_WEBHOOK_TLS_SKIP_VERIFICATION=false
#MINIO_AUDIT_WEBHOOK_HTTP_TIMEOUT=10
#MINIO_AUDIT_WEBHOOK_HTTP_ENCODING="json"

Configuration Setting

You can use the mc admin config set command and the logger_webhook configuration key to configure one or more webhook logging targets.

The following example code displays all configuration settings related to publishing server logs to a webhook. Commented settings (lines starting with a #) are optional.

mc admin config set ALIAS audit_webhook         \
   endpoint="https://webhook-1.example.net"     \
#  auth_token="TOKEN"                           \
#  batch_size=10                                \
#  max_retry=5                                  \
#  retry_interval=10                            \
#  client_cert="/opt/minio/webhook/public.crt"  \
#  client_key="/opt/minio/webhook/private.key"  \
#  proxy="https://proxy.example.net"            \
#  tls_skip_verification=false                  \
#  http_timeout=10                              \
#  http_encoding="json"                         \

For options that require specifying a directory path, ensure the minio-user user and group have read, write, and list access to those resources. Where possible use chown and chmod to limit access and ownership to only the minio-user.

Restart the Object Store to apply the new settings.

You can specify multiple webhook loggers by appending a unique identifier to each group of environment variables or settings. For example, MINIO_LOGGER_WEBHOOK_ENDPOINT_PRIMARY or mc admin config set alias logger_webhook:primary.