Configuring and deploying the connector

This page describes how to configure the connector for log retrieval.

Obtain the SCM Audit API key

  1. Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

    Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.

  2. Select Integrations  Audit API Keys.

  3. Click Add to create an Audit API key.

  4. Give a name to your key, then click Save.

  5. Make a note of the URL, Client ID, and Client Secret values.

    You will need them to configure Datadog.

    Audit API credentials

Package contents

The exact process for deploying the connector depends on your infrastructure and deployment workflow.

The package contains the following files:

  • sectigo-audit-datadog - the connector, an executable binary that performs audit log synchronization.

  • .env- The configuration template file for you to customize.

  • Dockerfile - An optional Dockerfile to build the image that can run the connector.

  • docker-compose.yaml - An example docker-compose file to run the connector with a redis storage backend.

  • README.md - useful instructions regarding the configuration and running.

  • integration EULA v1.0.pdf - the end-user license agreement.

Configure the connector

Configure the connector by customizing the .env file, referring to the following tables of parameters.

Sample .env file
DD_SITE=datadoghq.eu
DD_API_KEY=75f3fbe2a8e20cb3e8ae8b188bcb5077

SECTIGO_AUDIT_API_URL=https://audit.enterprise.sectigo.com
SECTIGO_AUDIT_API_CLIENT_ID=a40854c0-279c-4187-90ff-bd9fb9939892
SECTIGO_AUDIT_API_CLIENT_SECRET==m0sfj!RQZNp]d2C8DIf1qM8V6jjnAEy

SECTIGO_AUDIT_STORAGE_BACKEND=localfs
SECTIGO_AUDIT_LOCAL_STORAGE_PATH=/state/

Datadog configuration

Parameter Description Default Required

DD_SITE

Datadog site to send logs to (datadoghq.com, datadoghq.eu, etc.)

datadoghq.com

No

DD_API_KEY

API key for authenticating with Datadog

Yes

DD_TAGS

Tags to associate with logs (format: key:value,key2:value2)

No

DD_HOSTNAME

Hostname to associate with logs

Local machine hostname

No

Sectigo audit API configuration

Parameter Description Default Required

SECTIGO_AUDIT_API_URL

Sectigo Audit API endpoint URL

Yes

SECTIGO_AUDIT_API_CLIENT_ID

Client ID for API authentication

Yes

SECTIGO_AUDIT_API_CLIENT_SECRET

Client secret for API authentication

Yes

Sync configuration

Parameter Description Default Required

SECTIGO_AUDIT_LOG_FORMAT

Log output format (json or text)

text

No

SECTIGO_AUDIT_LOG_LEVEL

Minimum log level (debug, info, warn, error)

info

No

SECTIGO_AUDIT_SYNC_LOOP

Whether to run continuously (true) or once (false)

true

No

SECTIGO_AUDIT_SYNC_INTERVAL

Interval between sync operations (e.g., 5s, 10m, 1h)

5s

No

SECTIGO_AUDIT_INIT_HISTORY_DURATION

How far back to fetch logs on first sync (max: 18h)

No

SECTIGO_AUDIT_STORAGE_BACKEND

Backend for storing sync state (inmemory, localfs, redis, s3, gcs)

localfs

No
For recurring environments like AWS Lambda with cron, you might want to set SECTIGO_AUDIT_SYNC_LOOP=false to perform a single sync operation. The sync interval accepts values from 5s to 18h. Values closer to 18 hours increase the risk of missing logs as Datadog drops logs older than 18 hours.

Storage backend—​local file system

Parameter Description Default Required

SECTIGO_AUDIT_LOCAL_STORAGE_PATH

Path for storing state

Current working directory

No

Storage backend—​Redis

Parameter Description Default Required

SECTIGO_AUDIT_REDIS_ADDRESS

Redis server address (host:port)

Yes (for Redis)

SECTIGO_AUDIT_REDIS_PASSWORD

Redis server password

No

Storage backend—​AWS S3

Parameter Description Default Required

SECTIGO_AUDIT_S3_BUCKET_NAME

S3 bucket name

Yes (for S3)

SECTIGO_AUDIT_S3_KEY_PREFIX

Path prefix within bucket

No

Make sure the associated IAM role has the following permissions on the S3 bucket:

  • s3:HeadBucket

  • s3:GetObject

  • s3:PutObject

If the connector is running in an AWS environment, it will automatically use the AWS IAM role for authentication. No additional configuration is needed.

If the connector is running outside AWS but you still want to use S3 as a storage backend, make sure the environment has default AWS credentials.

For more information, see Authentication and access using AWS SDK.

Storage backend—​Google cloud storage

Parameter Description Default Required

SECTIGO_AUDIT_GCS_BUCKET_NAME

GCS bucket name

Yes (for GCS)

SECTIGO_AUDIT_GCS_KEY_PREFIX

Path prefix within bucket

No

Make sure the associated service account has the following permissions on the GCS bucket (Storage Object Admin covers all the above permissions):

  • storage.buckets.get

  • storage.objects.create

  • storage.objects.get

If the connector is running in a GCP environment, it will automatically use the instance’s IAM role for authentication. No additional configuration is needed.

If the connector is running outside GCP but you still want to use GCS as a storage backend, make sure the environment has GCP Application Default Credentials.

For more information, see Set up application default credentials.