helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon kokuwaio

A way to ingest audit logs from kubernetes apiserver

Open jorotg opened this issue 4 years ago • 2 comments

Hi guys,

We use fluentd-elasticsearch helm chart in our environment. I tried to add filter to collect audit logs from kube apiserver but for some reason I can't see them in Kibana. My configuration in templates/configmaps.yaml is:

<source>
      @id kube-apiserver-audit.log
      @type tail
      format json
      path /var/log/apiserver/audit.log
      pos_file /var/log/apiserver/audit.log.pos
      time_key timestamp
      time_format %Y-%m-%dT%H:%M:%SZ
      tag kube-apiserver-audit
 </source>

which doesn't seem to work.

jorotg avatar Feb 15 '21 13:02 jorotg

@jorotg Maybe not what you're looking for but what I did was output audit logs to stdout from apiserver. Then fluentd pulls it in just like any other pod logs

As configured with kops

  kubeAPIServer:
    # Log audit log to stdout for fluentd
    auditLogPath: "-"

NelsonJeppesen avatar Feb 23 '21 19:02 NelsonJeppesen

Thank you Nelson! Most likely I'm going to use your approach too.

jorotg avatar Feb 23 '21 19:02 jorotg