Kubernetes Audit Logs
Send Kubernetes audit logs to Last9 using OpenTelemetry
Introduction
This guide will help you ingest audit logs from a Kubernetes cluster to Last9. It is useful when you have set up a Kubernetes cluster using tools like kOps and enabled audit logs. If you use EKS and want to ingest audit logs to Last9, please use the AWS Cloudwatch integration.
Pre-requisites
- You have a Kubernetes Cluster and workload running in it.
- You have enabled audit logs for your Kubernetes cluster to be written to a file.
- You have signed up for Last9, created a cluster, and obtained the following OTLP credentials from the Integrations page:
endpointauth_header
- You have an Otel collector agent dameonset running as per the Last9 Kubernetes logs integration
Enable the volume mounts for Audit Logs
Add the following volumes to the values.yaml to enable the Collector Agent dameonset installed in step 4 above to read the audit logs.
extraVolumes:
- name: audit-logs
hostPath:
path: /var/log
type: Directory
extraVolumeMounts:
- name: audit-logs
mountPath: /var/log
readOnly: true
Update the Otel Pipeline to read audit logs
Update the receiver section with the following configuration.
receivers:
filelog:
include:
# Read logs from all pods on the node
- /var/log/pods/*/*/*.log
# Update this according to the path you have set for the audit log path.
- /var/log/kube-apiserver-audit.log
include_file_name: false
include_file_path: true
operators:
- id: container-parser
max_log_size: 102400
type: container
retry_on_failure:
enabled: true
start_at: end
Keep all the other settings in values.yaml the same. These two changes will enable the Otel Collector Agent to read audit logs and the logs from all the pods and send them to Last9.
Verification
Login to Last9 and visit the Logs panel.
Troubleshooting
Please get in touch with us on Discord or Email if you have any questions.