Audit prerequisites

Auditing can be enabled with a prerequisite of supported services available in the cluster:

Fluentd configuration

Add HTTP input plugin

You first have to add the HTTP input plugin to the fluent.conf file to retrieve records from HTTP POST

  • Add HTTP plugin to Fluentd

    <source>
  @type http
  bind 0.0.0.0
  body_size_limit 32m
  keepalive_timeout 10s
  <transport tls>
    ca_path /etc/pki/ca.pem
    cert_path /etc/pki/cert.pem
    private_key_path /etc/pki/key.pem
    private_key_passphrase PASSPHRASE
  </transport>
</source>

  • An API binding secret k5-auditlog-settings needs to be created in the namespace with this service URL

  • The path in the above URL is used to create the tag for the log event and can be used to filter logs

Add ElasticSearch plugin

You also need to add the plugin to fluentd.conf for transferring logs data to elasticsearch

  • Add ElasticSearch plugin to Fluentd

    <match tag.here>
  @type elasticsearch
  logstash_format true
  host <hostname> #(optional; default="localhost")
  port <port> #(optional; default=9200)
  index_name <index name> #(optional; default=fluentd)
  type_name <type name> #(optional; default=fluentd)
</match>

Add the above plugin in fluent.conf to enable fluentd to send all logs with tag tag.here to the elasticsearch instance configured.

Note:

Make sure that a Fluentd service is available in the cluster before enabling audit.