Kubernetes Audit Logs

This guide will help you ingest audit logs from a Kubernetes cluster to Last9. It is useful when you have set up a Kubernetes cluster using tools like kOps and enabled audit logs. If you use EKS and want to ingest audit logs to Last9, please use the AWS Cloudwatch integration.

Pre-requisites

1. You have a Kubernetes Cluster and workload running in it.
2. You have enabled audit logs for your Kubernetes cluster to be written to a file.
3. You have signed up for Last9, created a cluster, and obtained the following OTLP credentials from the Integrations page:
   • endpoint
   • auth_header
4. You have an Otel collector agent dameonset running as per the Last9 Kubernetes logs integration

Enable the volume mounts for Audit Logs

Add the following volumes to the values.yaml to enable the Collector Agent dameonset installed in step 4 above to read the audit logs.

extraVolumes:
  - name: audit-logs
    hostPath:
      path: /var/log
      type: Directory

extraVolumeMounts:
  - name: audit-logs
    mountPath: /var/log
    readOnly: true

Update the Otel Pipeline to read audit logs

Update the receiver section with the following configuration.

receivers:
  filelog:
    include:
      # Read logs from all pods on the node
      - /var/log/pods/*/*/*.log
      # Update this according to the path you have set for the audit log path.
      - /var/log/kube-apiserver-audit.log
    include_file_name: false
    include_file_path: true
    operators:
      - id: container-parser
        max_log_size: 102400
        type: container
    retry_on_failure:
      enabled: true
    start_at: end

Keep all the other settings in values.yaml the same. These two changes will enable the Otel Collector Agent to read audit logs and the logs from all the pods and send them to Last9.

Verification

Login to Last9 and visit the Logs panel.

Troubleshooting

Please get in touch with us on Discord or Email if you have any questions.