Connector audit output destinations¶

Overview¶

This guide explains how to choose where Privacera connector audits go after Audit Server processes them (the policysync_audit stream).

You configure routing in Privacera Manager, in custom-vars/vars.auditserver.yml, using two main settings:

AUDITSERVER_POLICYSYNC_AUDIT_HANDLER_V2_ENABLED — Set to true so Privacera Manager generates the multi-output configuration for connector audits on the policysync_audit stream. With V2 off, the legacy handler is used instead and the destination list on this page does not apply in the same way.
AUDITSERVER_POLICYSYNC_AUDIT_DESTINATIONS_NAMES — A comma-separated list of destination names, with no spaces (for example solr, fluentd, sqs). Each name selects one output path. With V2 on, those names line up with the Solr, Audit Fluentd, and Amazon SQS paths you configure elsewhere.

Most deployments include solr and fluentd so connector audits are indexed in Apache Solr and can be forwarded to Audit Fluentd when that component is deployed and running. Add sqs only when you send the same stream to Amazon SQS; that path must be turned on explicitly (see Send Audits to Amazon SQS).

The Destinations you can use table summarizes each destination name. Use Setup when you are ready to edit the file on the Manager host and apply the change. Optional shared spool overrides are described in Setup as well.

Setup¶

Follow these steps on the host where Privacera Manager is installed.

Sign in to that host.
Open the Manager configuration directory:
Bash
1
cd ~/privacera/privacera-manager/config
Copy the Audit Server sample variables into custom-vars if you have not already. The -n flag avoids overwriting an existing file.
Bash
1
cp -n sample-vars/vars.auditserver.yml custom-vars/
Edit the Audit Server custom variables file:
Bash
1
vi custom-vars/vars.auditserver.yml
Set AUDITSERVER_POLICYSYNC_AUDIT_HANDLER_V2_ENABLED to true (see Overview).
Set AUDITSERVER_POLICYSYNC_AUDIT_DESTINATIONS_NAMES to your comma-separated list, with no spaces. Include sqs only when Amazon SQS is enabled for this stream (Send Audits to Amazon SQS); Privacera Manager does not add sqs for you.

Optional — shared spool for connector destinations: when spooling is enabled for individual destinations (Solr, Amazon SQS, or Audit Fluentd), they share one base directory on the Audit Server host and one drain interval for the whole connector destination group. Skip this step if the defaults are fine. To override them, add or change these keys in the same custom-vars/vars.auditserver.yml file.

Property	Purpose	Privacera Manager default
`AUDITSERVER_POLICYSYNC_AUDIT_DESTINATIONS_SPOOL_BASE_DIR`	Root directory where spooled connector audit data is stored for destinations that have spooling turned on.	`/workdir/privacera-audit-server/spool/policysync-audit-dest`
`AUDITSERVER_POLICYSYNC_AUDIT_DESTINATIONS_SPOOL_DRAIN_INTERVAL_SECONDS`	How often spooled data is retried, in seconds, for this shared connector destination spool.	`30`

Per-destination spool switches and intervals use separate keys in the same file. Amazon SQS–specific spool keys are listed in Send Audits to Amazon SQS. Solr and Fluentd use AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SOLR_SPOOL_* and AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_FLUENTD_SPOOL_* in Privacera Manager Audit Server defaults and sample variables.

Apply the configuration with Privacera Manager, then restart Audit Server.

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade 

Destinations you can use¶

Name	What it does	Notes
`solr`	Stores connector audits in Apache Solr.	Solr for this stream is enabled by default. Keep `solr` in the list when you want indexing (typical).
`fluentd`	Sends connector audits to Audit Fluentd over HTTP (for example, toward object storage).	When Audit Fluentd is deployed and available, include `fluentd` here; no extra connector-only Audit Server settings are required for forwarding. Configure buckets and related options in `vars.audit-fluentd.yml` when you export to S3 or another store (Send Audits to S3). Once audits are in S3, you can query them with Amazon Athena; see Query PolicySync Audits in Amazon Athena.
`sqs`	Sends connector audits to Amazon SQS.	Not on by default. Enable the SQS destination, set the queue URL and region, and add `sqs` to this list. Privacera Manager does not add `sqs` for you. Follow Send Audits to Amazon SQS.

Validate SQS delivery¶

Use the built-in test script inside the Audit Server diagnostics container to confirm that policysync_audit records are arriving in your Amazon SQS queue.

Warning

Setting DELETE_AFTER_PROCESSING to true permanently removes messages from the queue after the script reads them. Use false to inspect messages without consuming them.

Open a shell inside the Audit Server diagnostics container.
Navigate to the SQS test directory:
Bash
1
cd /workdir/manual_test/read_sqs

Set the required environment variables. Replace <account-id> and <queue-name> with your AWS account ID and queue name.

Variable	Description
`SQS_QUEUE_URL`	The full URL of your SQS queue.
`DELETE_AFTER_PROCESSING`	Set to `true` to remove messages from the queue after reading, or `false` to read without consuming them.

Bash
export SQS_QUEUE_URL=https://sqs.us-east-1.amazonaws.com/<account-id>/<queue-name>
export DELETE_AFTER_PROCESSING="false"

Run the script:
Bash
1
./run_read_sqs.sh

The script reads messages from the queue and prints them to the terminal. If records appear, connector audits are flowing to Amazon SQS as expected.

Guidelines¶

Keep AUDITSERVER_POLICYSYNC_AUDIT_HANDLER_V2_ENABLED at true when using the destination list you set in Setup.
Keep solr and fluentd in the list when your deployment uses Solr indexing and Audit Fluentd export; add sqs only when you use Amazon SQS.
The order of names in the list does not change behavior.

Applies to

Self-managed Privacera only. PrivaceraCloud customers should contact their Privacera representative. This configuration applies to connector audits on the policysync_audit collection only.

Prev Advanced Configuration