Home / How-to Guides
Edit
Report

Recover Dev Portal audit logs

Uses: Konnect Platform Dev Portal
Incompatible with
on-prem
Related Documentation
Konnect Platform Documentation
Tags
#security #logging #audit-logging
Related Resources
Konnect audit logs
Collect Konnect audit logs
About Dev Portal
Recover Konnect audit logs
Configure an HTTPS data collection endpoint in SumoLogic
TL;DR

You can use replay jobs in Konnect to recover audit logs. These are useful when you’ve missed audit log entries due to an error or a misconfigured audit log webhook.

Configure an audit log webhook in Konnect with the SIEM endpoint, the access key, and the log format. Then, configure audit logs for your Dev Portal by adding the audit log webhook that you just configured. You can then navigate to your Dev Portal audit log configuration and click the Replay tab to recover audit logs from a specified time frame.

This tutorial uses SumoLogic, but you can apply the same steps to your SIEM provider.

Prerequisites

Kong Konnect

This tutorial requires a Konnect Plus account. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

Konnect roles

To recover audit logs, you need the Admin role for audit logs.

Dev Portal

For this tutorial, you’ll need a Dev Portal pre-configured. If you don’t have these settings already configured, follow these steps to pre-configure it:

  1. In the Konnect sidebar, click Dev Portal.
  2. Click New portal to create a Dev Portal.
  3. Click your Dev Portal URL at the top of the Dev Portal overview.
  4. Click Sign up to register a test developer account with your Dev Portal.
  5. If your settings require developer or application approval, you can manage approvals by navigating to Access and approvals in the Konnect sidebar.

SumoLogic SIEM provider

To use the audit log webhook, you need a configured SIEM provider. In this tutorial, we’ll use SumoLogic, but you can use any SIEM provider that supports the ArcSight CEF Format or raw JSON. Konnect supports any HTTP authorization header type.

Before you can push audit logs to your SIEM provider, configure the service to receive logs. This configuration is specific to your vendor.

In this tutorial, we’ll configure an HTTPS data collector and source in SumoLogic.

  1. In the SumoLogic sidebar, click Data Management > Collection.
  2. Click Add Collector.
  3. Click Hosted Collector.
  4. In the Name field, enter Konnect.
  5. When prompted to add a new data source to the collector, click OK.
  6. Select HTTP Logs & Metrics.
  7. In the Name field, enter Konnect.
  8. Click OK.
  9. Copy and save the SumoLogic endpoint URL.
  10. In the SumoLogic sidebar, click Administration > Account Security Settings > Access Keys to create an access key.
  11. Click Add Access Key.
  12. In the Name field, enter Konnect.
  13. Click Save.
  14. Copy and save the SumoLogic access key.

If needed, configure your network’s firewall settings to allow traffic through the 8071 TCP or UDP port that Konnect uses for audit logging. See the Konnect ports and network requirements.

Audit log destination and webhook

To complete this tutorial, you’ll need an audit log destination and webhook configured. If you don’t already have one configured, follow these steps:

  1. In the Konnect sidebar, click Organization.
  2. From the sidebar, click Audit Logs Setup.
  3. On the Webhook Destination tab, click New Webhook.
  4. In the Name field, enter SumoLogic.
  5. In the Endpoint field, enter your external endpoint that will receive audit log messages. For example: https://endpoint4.collection.sumologic.com/receiver/v1/http/1234abcd.
  6. In the Authorization Header field, enter the access token from you SIEM. Konnect will send this string in the Authorization header of requests to that endpoint.
  7. From the Log Format dropdown menu, select “cef”.

  8. (Optional) Click Disable SSL Verification to disable SSL verification of the host endpoint when delivering payloads.

    We only recommend disabling SSL verification when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks.

  9. Click the Dev Portal tab.
  10. Click New Dev Portal Audit Log.
  11. From the View region dropdown menu, select the region.
  12. From the Dev Portal dropdown menu, select your Dev Portal.
  13. Click Enabled.
  14. From the Endpoint dropdown menu, select your SIEM endpoint.
  15. Click Save.

To validate that the webhook is configured correctly, you can log in to your Dev Portal with the account you created in the prerequisites. This should trigger a log in SumoLogic. Sometimes it can take a minute to populate the logs.

Configure a replay job

Dev Portal audit logs allow you to recover audit logs by configuring a replay job.

  1. In the Konnect sidebar, click Organization.
  2. From the sidebar, click Audit Logs Setup.
  3. Click the Dev Portal tab.
  4. Click the Dev Portal that you want to configure the replay job for.
  5. Click the Replay tab.
  6. From the Replay Time Range dropdown menu, select Last 6 hours.
  7. Click Send Replay.

The replay job will now display one of the following statuses:

Status

Description
Unconfigured The job has not been set up. This is the job’s initial state.
Accepted The job has been accepted for scheduling.
Pending The job has been scheduled.
Running The job is in progress. When a replay job is running, a request to update the job will return a 409 response code until it has completed or failed.
Completed The job has finished with no errors.
Failed The job has failed.

Validate

Once the replay job is marked as Complete, you can view the recovered audit logs in your SIEM provider. If you’re using SumoLogic, navigate to the log search and search for _source=Konnect. You should see logs like the following:

2025-06-23T14:28:47Z konghq.com CEF:0|KongInc|Dev-Portal|1.0|AUTHENTICATION_TYPE_BASIC|AUTHENTICATION_OUTCOME_SUCCESS|0|rt=1750688927556 src=172.71.232.22 request=/api/v2/developer/authenticate success=true org_id=998db3e4-5cb7-4dd5-b51c-9878096a6999 portal_id=3e551b39-227d-4297-b911-e68fd5d77c17 principal_id=a3d2699a-0ed3-4417-bb10-d8e74a1513a4 trace_id=3360194145499877252 user_agent= sig=XQC3OSFxLbi5dy2-o4xAXHT-x8oW5Df-zVsACWQLMU9Q-sPnEyk5CVs4JHwuRcwO0QNLsNaP1wsyrXYPeneXDQ

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

FAQs

How many days of Dev Portal audit logs can I recover?

Konnect only collects audit logs from the past seven days, so you can only recover up to seven days of logs from the current date.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support