How many days of Konnect org audit logs can I recover?
Konnect only collects audit logs from the past seven days, so you can only recover up to seven days of logs from the current date.
Recover Konnect audit logs
Uses:
Konnect Platform
Incompatible with
on-prem
Related Documentation
TL;DR
Use replay jobs in Konnect to recover audit logs. These are useful when you’ve missed audit log entries due to an error or a misconfigured audit log webhook.
Configure an audit log webhook in Konnect with the SIEM endpoint, the access key, and the log format. Then, configure audit logs for your Konnect org by adding the audit log webhook that you just configured. You can then navigate to your Konnect org audit log configuration and click the Replay tab to recover audit logs from a specified time frame.
This tutorial uses SumoLogic, but you can apply the same steps to your SIEM provider.
Prerequisites
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'Copied!
Konnect roles
To recover audit logs, you need the Admin role for audit logs.
SumoLogic SIEM provider
To use the audit log webhook, you need a configured SIEM provider. In this tutorial, we’ll use SumoLogic, but you can use any SIEM provider that supports the ArcSight CEF Format or raw JSON. Konnect supports any HTTP authorization header type.
Before you can push audit logs to your SIEM provider, configure the service to receive logs. This configuration is specific to your vendor.
In this tutorial, we’ll configure an HTTPS data collector and source in SumoLogic.
- In the SumoLogic sidebar, click Data Management > Collection.
- Click Add Collector.
- Click Hosted Collector.
- In the Name field, enter
Konnect. - When prompted to add a new data source to the collector, click OK.
- Select HTTP Logs & Metrics.
- In the Name field, enter
Konnect. - Click OK.
- Copy and save the SumoLogic endpoint URL.
- In the SumoLogic sidebar, click Administration > Account Security Settings > Access Keys to create an access key.
- Click Add Access Key.
- In the Name field, enter
Konnect. - Click Save.
- Copy and save the SumoLogic access key.
If needed, configure your network’s firewall settings to allow traffic through the 8071 TCP or UDP port that Konnect uses for audit logging. See the Konnect ports and network requirements.
Audit log destination and webhook
To complete this tutorial, you’ll need an audit log destination and webhook configured. If you don’t already have one configured, follow these steps:
- In the Konnect sidebar, click Organization.
- From the sidebar, click Audit Logs Setup.
- On the Webhook Destination tab, click New Webhook.
- In the Name field, enter
SumoLogic. - In the Endpoint field, enter your external endpoint that will receive audit log messages. For example:
https://endpoint4.collection.sumologic.com/receiver/v1/http/1234abcd. - In the Authorization Header field, enter the access token from you SIEM.
Konnect will send this string in the
Authorizationheader of requests to that endpoint. - From the Log Format dropdown menu, select “cef”.
-
(Optional) Click Disable SSL Verification to disable SSL verification of the host endpoint when delivering payloads.
We only recommend disabling SSL verification when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks.
- Click the Konnect tab.
- Navigate to the region you want to configure the webhook for.
- Click Disabled.
- From the Endpoint dropdown menu, select your SIEM endpoint.
- Click Save.
To validate that the webhook is configured correctly, send an API request using the Konnect API:
curl -X GET "https://us.api.konghq.com/v2/control-planes" \
-H "Authorization: Bearer $KONNECT_TOKEN"
Copied!
This triggers a log in SumoLogic. Sometimes it can take a minute to populate the logs.
Configure a replay job
In Konnect, you can restore audit logs by configuring a replay job:
- In the Konnect sidebar, click Organization.
- From the sidebar, click Audit Logs Setup.
- Click the Konnect tab.
- Navigate to the region you want to configure the replay job for.
- Click the Replay tab.
- From the Replay Time Range dropdown menu, select
Last 6 hours. - Click Send Replay.
The replay job will now display one of the following statuses:
|
Status |
Description |
|---|---|
| Unconfigured | The job has not been set up. This is the job’s initial state. |
| Accepted | The job has been accepted for scheduling. |
| Pending | The job has been scheduled. |
| Running |
The job is in progress. When a replay job is running, a request to update the job will return a 409 response code until it has completed or failed.
|
| Completed | The job has finished with no errors. |
| Failed | The job has failed. |
Validate
Once the replay job is marked as Complete, you can view the recovered audit logs in your SIEM provider. If you’re using SumoLogic, navigate to the log search and search for _source=Konnect. You will see logs like the following:
2025-06-18T21:02:36Z konghq.com CEF:0|KongInc|Konnect|1.0|konnect|Authz.control-planes|1|rt=1750280466889 src=127.0.0.6 action=list granted=true org_id=777db3e4-5cb7-4dd5-b51c-9878096a6999 principal_id=eb999f01-5976-4f4b-9fbc-dd5d514bd675 trace_id=3959872677347089807 user_agent=grpc-node-js/1.12.4 sig=KbLaBhQFnggT_8CyC95b777R1_fGvvLVDn7awjZK8eZLdGPrSvnS-sxJw63j930eKr-VTsQv8-TQTD_GVmAPAQ
Copied!
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.