Skip to content
share

Logagent input plugin for Kubernetes Audit logs

Input Plugin: Kubernetes Audit Logs

Input plugin to receive Kubernetes Audit logs via HTTP.

Features:

  • parse bulk messages

Applications:

  • centralize Kubernetes Audit logs
  • act as webhook to receive Kubernetes Audit logs
  • index Kubernetes Audit logs in Elasticsearch or Sematext Cloud
  • create alerts on Kubernetes Audit logs

Requirements:

  • configure Kubernetes to send Audit logs via webhook

Configuration

# Receive Kubernetes Audit logs via HTTP server
input:
  kubernetesAudit:
    module: input-kubernetes-audit
    # server listens to a port 
    port: 9091
    # dynamic index setting by posting Audit logs to /indexName/ URL 
    useIndexFromUrlPath: true
    # number of extra processes to fork as web server workers
    worker: 0
    tags:
      receiver: logagent_kubernetes_audit

output:
  # view events on console during test setups
  stdout: yaml
  # ship Audit logs to Sematext Cloud
  elasticsearch:
    module: elasticsearch
    url: https://logsene-receiver.sematext.com
    index: YOUR_LOGS_TOKEN

Start Logagent

logagent --config kubernetes-audit.yml

Note: You can use the command line argument --k8sAudit portNumber to activate the plugin via the logagent command. The following command listens on TCP port 9091 for Kubernetes logs and dumps the logs in YAML format to the console.

logagent --k8sAudit 9091 --yaml