Support for Kubernetes audit logs json format

[hmalinov]

The Kubernetes audit logs support two formats:

--audit-log-format string     Default: "json"
  | Format of saved audits. "legacy" indicates 1-line text format for each event. "json" indicates structured json format. Known formats are legacy,json.

The default format these days is json. However the parsing defined in kubernetes.conf is for legacy format. Could you please add or replace the current parsing with a json one like below ?

<source>
  @type tail
  @id in_tail_kube_apiserver_audit
  multiline_flush_interval 5s
  path /var/log/kubernetes/kube-apiserver-audit.log
  pos_file /var/log/kube-apiserver-audit.log.pos
  tag kube-apiserver-audit
  <parse>
    @type json
    keep_time_key true
    time_key timestamp
    time_format %Y-%m-%dT%T.%L%Z
  </parse>
</source>

[GerkinDev]

Bump. It's quite boring to have to edit kube-apiserver flags from manifests.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days

[GerkinDev]

Bump. Could something be done about #534 addressing this need?

[willianmga]

just checking if a solution for this has been released?

still getting [in_tail_kube_apiserver_audit] got incomplete line before first line from /var/log/kubernetes/kube-apiserver-audit.log when fluentd reads audit logs