Easily log API requests and responses to your own security data lake.
- Kong Gateway >2.x
- LuaRocks 3.9.1
unzip
package- A container runtime such as docker is required to run the Resurface container.
The kong-plugin-usagelogger
rock is available for download from the LuaRocks site.
luarocks install kong-plugin-usagelogger
Unfortunately, Kong does not provide a straightforward way to inject third-party plugins in their official ontainer images. To overcome this, a new image based on the latest Kong image but with a new layer to install the plugin (and its dependencies) must be built.
Fortunately, we already have a Dockerfile for that image here. All you need to do is run the following command:
curl "https://raw.githubusercontent.com/resurfaceio/kong-plugin/logger-lua/Dockerfile" | docker build -t kong:3.2.2.0-resurface -
The usagelogger
plugin must be added to the Kong configuration. In DB-less mode, this means editing your kong.conf
file in all nodes to modify the following line:
plugins = bundled
Such that the usagelogger plugin is listed like so:
plugins = bundled, usagelogger
While, in DB mode it may only require to set the KONG_PLUGINS environment variable like so:
export KONG_PLUGINS="bundled,usagelogger"
To finish this step, you need to restart Kong. For the non-containerized versions of Kong, this can be done with the following command:
kong restart
For the containerized version, this means stopping the old container and starting a new container based on your new custom Kong image, together with a bind mount for the new configuration file. In DB mode, it may only require to pass the latest KONG_PLUGINS
env var as a parameter to docker run
.
This plugin is compatible with DB-less mode.
In DB-less mode, you configure Kong Gateway declaratively. Therefore, the Admin API is mostly read-only. The only tasks it can perform are all related to handling the declarative config, including:
- Setting a target's health status in the load balancer
- Validating configurations against schemas
- Uploading the declarative configuration using the
/config
endpoint
This plugin can be enabled globally, as follows:
curl -X POST http://localhost:8001/plugins/ \
--data "name=usagelogger" \
--data "config.url=http://host.docker.internal:7701/message" \
--data "config.rules=include debug"
Add a plugins entry in the declarative configuration file:
plugins:
- name: usagelogger
config:
url: http://host.docker.internal:7701/message
rules: include debug
Make sure to replace host.docker.internal
with the hostname or IP address used to reach your Resurface instance.
Loggers always have an active set of rules that control what data is logged and how sensitive data is masked. All of the examples above apply a predefined set of rules (include debug
), but logging rules are easily customized to meet the needs of any application.
© 2016-2024 Graylog, Inc.