Collect Dev Portal audit logs with SumoLogic
Create an HTTPS data collection endpoint and access key in SumoLogic and save their values. Configure an audit log destination in Konnect with the SumoLogic endpoint (endpoint), the access key (authorization), and set the log format log_format: cef. Then create the webhook for your Dev Portal with the /portals/{portalId}/audit-log-webhook.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT' -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-outputThis sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copy and paste these into your terminal to configure your session.
Kong Gateway running
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
-
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE' -
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATAOnce Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
Dev Portal
For this tutorial, you’ll need a Dev Portal and some Dev Portal settings, like a published API, pre-configured. These settings are essential for Dev Portal to function but configuring them isn’t the focus of this guide. If you don’t have these settings already configured, follow these steps to pre-configure them:
- Create a Dev Portal.
- From the overview of your Dev Portal, get your Dev Portal ID and export it to your environment:
export PORTAL_ID='YOUR DEV PORTAL ID' - Register a test developer account with your Dev Portal. You can do this by navigating to your Dev Portal URL and clicking Sign up.
SumoLogic SIEM provider
To use the audit log webhook, you need a configured SIEM provider. In this tutorial, we’ll use SumoLogic, but you can use any SIEM provider that supports the ArcSight CEF Format or raw JSON.
Before you can push audit logs to your SIEM provider, configure the service to receive logs. This configuration is specific to your vendor.
- In SumoLogic, configure an HTTPS data collection endpoint you can send CEF or raw JSON data logs to. Konnect supports any HTTP authorization header type. In this example, we’ll name the source
Konnect. - Copy and export the endpoint URL:
export SIEM_ENDPOINT='YOUR-SIEM-HTTP-ENDPOINT' -
Create an access key in SumoLogic. Export the access key as an environment variable:
export SIEM_TOKEN='YOUR-ACCESS-KEY' - Configure your network’s firewall settings to allow traffic through the
8071TCP or UDP port that Konnect uses for audit logging. See the Konnect ports and network requirements.
Set up the audit log destination
Create an audit log destination by sending a POST request to the /audit-log-destinations endpoint with the connection details for your SIEM vendor:
curl -i -X POST https://global.api.konghq.com/v2/audit-log-destinations \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"endpoint": "'$SIEM_ENDPOINT'",
"authorization": "'$SIEM_TOKEN'",
"log_format": "cef",
"name": "Example destination"
}'
Export the ID of the new destination to your environment:
export DESTINATION_ID='YOUR DESTINATION ID'
Enable the webhook on your Dev Portal
Create a webhook by sending a PATCH request to the /portals/{portalId}/audit-log-webhook endpoint with the audit log destination:
curl -i -X PATCH https://us.api.konghq.com/v3/portals/$PORTAL_ID/audit-log-webhook \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"audit_log_destination_id": "'$DESTINATION_ID'",
"enabled": true
}'
Webhooks are triggered via an HTTPS request using the following retry rules:
- Minimum retry wait time: 1 second
- Maximum retry wait time: 30 seconds
- Maximum number of retries: 4
A retry is performed on a connection error, server error (500 HTTP status code), or too many requests (429 HTTP status code).
Validate
To validate that the webhook is configured correctly, you can log in to your Dev Portal with the account you created in the prerequisites. This should trigger a log in SumoLogic. Sometimes it can take a minute to populate the logs.
In the SumoLogic UI, navigate to the log search and search for _source= with the name of the source we created in the prerequisites. In this example, _source=Konnect. You should see logs like the following:
2025-06-23T14:28:47Z konghq.com CEF:0|KongInc|Dev-Portal|1.0|AUTHENTICATION_TYPE_BASIC|AUTHENTICATION_OUTCOME_SUCCESS|0|rt=1750688927556 src=172.71.232.22 request=/api/v2/developer/authenticate success=true org_id=998db3e4-5cb7-4dd5-b51c-9878096a6999 portal_id=3e551b39-227d-4297-b911-e68fd5d77c17 principal_id=a3d2699a-0ed3-4417-bb10-d8e74a1513a4 trace_id=3360194145499877252 user_agent= sig=XQC3OSFxLbi5dy2-o4xAXHT-x8oW5Df-zVsACWQLMU9Q-sPnEyk5CVs4JHwuRcwO0QNLsNaP1wsyrXYPeneXDQ
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.