You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.
Last updated: Apr 10th, 2023

Kubernetes Audit Logs

Collect audit logs from Kubernetes nodes with Elastic Agent.

What is an Elastic integration?

This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.

Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.

audit-logs integration collects and parses Kubernetes audit logs.

It requires access to the log files on each Kubernetes node where the audit logs are stored. This defaults to /var/log/kubernetes/kube-apiserver-audit.log.

An example event for audit looks as following:

{
    "kubernetes": {
        "audit": {
            "auditID": "bcacfeaa-5ab5-48de-8bac-3a87d1474b6a",
            "requestReceivedTimestamp": "2022-08-31T08:09:39.660940Z",
            "level": "RequestResponse",
            "kind": "Event",
            "verb": "get",
            "annotations": {
                "authorization_k8s_io/decision": "allow",
                "authorization_k8s_io/reason": "RBAC: allowed by ClusterRoleBinding \"system:public-info-viewer\" of ClusterRole \"system:public-info-viewer\" to Group \"system:unauthenticated\""
            },
            "userAgent": "kube-probe/1.24",
            "requestURI": "/readyz",
            "responseStatus": {
                "metadata": {},
                "code": 200
            },
            "stageTimestamp": "2022-08-31T08:09:39.662241Z",
            "sourceIPs": [
                "172.18.0.2"
            ],
            "apiVersion": "audit.k8s.io/v1",
            "stage": "ResponseComplete",
            "user": {
                "groups": [
                    "system:unauthenticated"
                ],
                "username": "system:anonymous"
            }
        }
    },
    "input": {
        "type": "filestream"
    },
    "agent": {
        "name": "kind-control-plane",
        "id": "6e730a0c-7da5-48ff-b4c9-f6c63844975d",
        "type": "filebeat",
        "ephemeral_id": "d27511c8-9cd1-402c-8b1b-234abbd9dcae",
        "version": "8.4.0"
    },
    "@timestamp": "2022-08-31T08:09:57.520Z",
    "ecs": {
        "version": "8.0.0"
    },
    "log": {
        "file": {
            "path": "/var/log/kubernetes/kube-apiserver-audit-1.log"
        },
        "offset": 20995
    },
    "data_stream": {
        "namespace": "default",
        "type": "logs",
        "dataset": "kubernetes.audit_logs"
    },
    "host": {
        "hostname": "kind-control-plane",
        "os": {
            "kernel": "5.10.104-linuxkit",
            "codename": "focal",
            "name": "Ubuntu",
            "type": "linux",
            "family": "debian",
            "version": "20.04.4 LTS (Focal Fossa)",
            "platform": "ubuntu"
        },
        "containerized": false,
        "ip": [
            "10.244.0.1",
            "10.244.0.1",
            "10.244.0.1",
            "172.30.0.3",
            "172.18.0.2",
            "fc00:f853:ccd:e793::2",
            "fe80::42:acff:fe12:2"
        ],
        "name": "kind-control-plane",
        "id": "5016511f0829451ea244f458eebf2212",
        "mac": [
            "02:42:ac:12:00:02",
            "02:42:ac:1e:00:03",
            "3a:ba:49:df:78:35",
            "86:c7:fe:c8:fa:22",
            "d6:48:c1:a2:a4:15"
        ],
        "architecture": "x86_64"
    },
    "elastic_agent": {
        "id": "6e730a0c-7da5-48ff-b4c9-f6c63844975d",
        "version": "8.4.0",
        "snapshot": false
    },
    "event": {
        "agent_id_status": "verified",
        "ingested": "2022-08-31T08:09:58Z",
        "dataset": "kubernetes.audit_logs"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
agent.ephemeral_id
Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but agent.id does not.
keyword
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
agent.name
Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.
keyword
agent.type
Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
keyword
agent.version
Version of the agent.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
ecs.version
ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
keyword
error.message
Error message.
match_only_text
event.dataset
Event Dataset.
constant_keyword
event.ingested
Timestamp when an event arrived in the central data store. This is different from @timestamp, which is when the event originally occurred. It's also different from event.created, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: @timestamp < event.created < event.ingested.
date
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.name.text
Multi-field of host.os.name.
text
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of input.
keyword
kubernetes.audit.annotations.authorization_k8s_io/decision
keyword
kubernetes.audit.annotations.authorization_k8s_io/reason
text
kubernetes.audit.apiVersion
Audit event api version
keyword
kubernetes.audit.auditID
Unique audit ID, generated for each request
keyword
kubernetes.audit.impersonatedUser.extra.*
Any additional information provided by the authenticator
object
kubernetes.audit.impersonatedUser.groups
The names of groups this user is a part of
text
kubernetes.audit.impersonatedUser.uid
A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs
keyword
kubernetes.audit.impersonatedUser.username
The name that uniquely identifies this user among all active users
keyword
kubernetes.audit.kind
Kind of the audit event
keyword
kubernetes.audit.level
AuditLevel at which event was generated
keyword
kubernetes.audit.objectRef.apiGroup
The name of the API group that contains the referred object. The empty string represents the core API group.
keyword
kubernetes.audit.objectRef.apiVersion
The version of the API group that contains the referred object
keyword
kubernetes.audit.objectRef.name
keyword
kubernetes.audit.objectRef.namespace
keyword
kubernetes.audit.objectRef.resource
keyword
kubernetes.audit.objectRef.resourceVersion
keyword
kubernetes.audit.objectRef.subresource
keyword
kubernetes.audit.objectRef.uid
keyword
kubernetes.audit.requestObject.rules
nested
kubernetes.audit.requestObject.spec.containers.image
text
kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation
boolean
kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add
keyword
kubernetes.audit.requestObject.spec.containers.securityContext.privileged
boolean
kubernetes.audit.requestObject.spec.containers.securityContext.procMount
keyword
kubernetes.audit.requestObject.spec.containers.securityContext.runAsGroup
integer
kubernetes.audit.requestObject.spec.containers.securityContext.runAsNonRoot
boolean
kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser
integer
kubernetes.audit.requestObject.spec.containers.volumeMounts
flattened
kubernetes.audit.requestObject.spec.hostIPC
boolean
kubernetes.audit.requestObject.spec.hostNetwork
boolean
kubernetes.audit.requestObject.spec.hostPID
boolean
kubernetes.audit.requestObject.spec.restartPolicy
keyword
kubernetes.audit.requestObject.spec.securityContext.runAsGroup
integer
kubernetes.audit.requestObject.spec.securityContext.runAsNonRoot
boolean
kubernetes.audit.requestObject.spec.securityContext.runAsUser
integer
kubernetes.audit.requestObject.spec.serviceAccountName
keyword
kubernetes.audit.requestObject.spec.type
keyword
kubernetes.audit.requestObject.spec.volumes.hostPath
flattened
kubernetes.audit.requestReceivedTimestamp
Time the request reached the apiserver
date
kubernetes.audit.requestURI
RequestURI is the request URI as sent by the client to a server
keyword
kubernetes.audit.responseObject.roleRef.kind
keyword
kubernetes.audit.responseObject.rules
nested
kubernetes.audit.responseObject.spec.containers.securityContext.allowPrivilegeEscalation
boolean
kubernetes.audit.responseObject.spec.containers.securityContext.privileged
boolean
kubernetes.audit.responseObject.spec.containers.securityContext.runAsUser
integer
kubernetes.audit.responseObject.spec.containers.volumeMounts
flattened
kubernetes.audit.responseObject.spec.hostIPC
boolean
kubernetes.audit.responseObject.spec.hostNetwork
boolean
kubernetes.audit.responseObject.spec.hostPID
boolean
kubernetes.audit.responseObject.spec.restartPolicy
keyword
kubernetes.audit.responseObject.spec.volumes.hostPath
flattened
kubernetes.audit.responseStatus.code
Suggested HTTP return code for this status, 0 if not set
integer
kubernetes.audit.responseStatus.message
A human-readable description of the status of this operation
text
kubernetes.audit.responseStatus.reason
A machine-readable description of why this operation is in the "Failure" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it
keyword
kubernetes.audit.responseStatus.status
Status of the operation
keyword
kubernetes.audit.sourceIPs
Source IPs, from where the request originated and intermediate proxies
text
kubernetes.audit.stage
Stage of the request handling when this event instance was generated
keyword
kubernetes.audit.stageTimestamp
Time the request reached current audit stage
date
kubernetes.audit.user.extra.*
Any additional information provided by the authenticator
object
kubernetes.audit.user.groups
The names of groups this user is a part of
text
kubernetes.audit.user.uid
A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs
keyword
kubernetes.audit.user.username
The name that uniquely identifies this user among all active users
keyword
kubernetes.audit.userAgent
UserAgent records the user agent string reported by the client. Note that the UserAgent is provided by the client, and must not be trusted
keyword
kubernetes.audit.verb
Verb is the kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method
keyword
log.file.path
Path to the log file.
keyword
log.offset
Offset of the entry in the log file.
long
message
For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.
match_only_text

Changelog

VersionDetails
1.35.0
Enhancement View pull request
Add NetworkUnavailable condition to state node
1.34.1
Enhancement View pull request
Add support for TSDB on all metric data streams except the state ones
1.34.0
Enhancement View pull request
Add support for TSDB on all state metric data streams
1.33.0
Enhancement View pull request
Add data_stream.dataset setting and custom yaml input.
1.32.2
Enhancement View pull request
Added link to docs for condition filter
1.32.1
Enhancement View pull request
Added categories and/or subcategories.
1.32.0
Enhancement View pull request
Add documentation for how to install alerts
1.31.2
Enhancement View pull request
Add system testing for state service datastream
1.31.1
Enhancement View pull request
Update controller manager, proxy and scheduler metrics and dashboards
1.31.0
Enhancement View pull request
Use datas_tream.dataset as pre filters for dashboards and remove tags
1.30.0
Enhancement View pull request
Add missing namespace_uid and namespace_labels fields
1.29.2
Bug fix View pull request
Fix function for memory node usage
1.29.1
Bug fix View pull request
Fix removed condition setting for container_logs
1.29.0
Bug fix View pull request
Remove "Control Plane" column from Node Information table
1.28.2
Bug fix View pull request
Fix Pod Memory usage panel title
1.28.1
Enhancement View pull request
Delete statefulset, job and cronjob visualizations from Cluster Overview dashboard
1.28.0
Enhancement View pull request
Adding banner for Kube-state metrics
1.27.1
Enhancement View pull request
Fix typo in cluster overview dashboard
1.27.0
Enhancement View pull request
New cluster overview dashboard
1.26.0
Enhancement View pull request
Add processors configuration option for Kubernetes data_streams
1.25.0
Enhancement View pull request
Add condition configuration option to container logs data stream
1.24.0
Enhancement View pull request
Add fields to audit logs data stream
1.23.1
Enhancement View pull request
Add missing dimension fields
1.23.0
Enhancement View pull request
Add fields to audit logs data stream
1.22.1
Enhancement View pull request
Fix overlapping fields in state_job data stream
1.22.0
Enhancement View pull request
Update apiserver and controllermanaged deprecated fields and dashboards
1.21.2
Bug fix View pull request
add container ID and pod name as part of Kubernetes Cotainer Logs filestream input
1.21.1
Enhancement View pull request
improved the wording of the link to Kubernetes documentation
1.21.0
Enhancement View pull request
Add new dashboards
1.20.0
Enhancement View pull request
Change fields type for audit_logs data_stream to use requestObject and responseObject fields of audit events. Disable dynamic mapping for audit_logs data_stream. Drop kubernetes.audit.responseObject.metadata and kubernetes.audit.requestObject.metadata
1.19.1
Enhancement View pull request
Add documentation for volume field
1.19.0
Enhancement View pull request
Add missed ecs fields
1.18.1
Enhancement View pull request
Add documentation for multi-fields
1.18.0
Enhancement View pull request
Fix k8s overview dashboard
1.17.3
Bug fix View pull request
Remove incorrectly tagged boolean dimension
1.17.2
Bug fix View pull request
Add missing metadata fields
1.17.1
Enhancement View pull request
Improve default ndjson parser configuration
1.17.0
Enhancement View pull request
Disable audit logs collection by default
1.16.0
Enhancement View pull request
Documentation improvements
1.15.0
Enhancement View pull request
Add ssl.certificate_authorities configuration
1.14.3
Bug fix View pull request
Add missing job.name and cronjob.name fields to state_container datastream
1.14.2
Bug fix View pull request
Add missing job.name and cronjob.name fields to container related datastreams
1.14.1
Bug fix View pull request
Add missing job.name and cronjob.name fields added by metadata generators
1.14.0
Enhancement View pull request
Tune state_metrics settings
1.13.0
Enhancement View pull request
Update to ECS 8.0
1.12.0
Enhancement View pull request
Expose add_recourse_metadata configuration option
1.11.0
Enhancement View pull request
Add memory.working_set.limit.pct for pod and container data streams
1.10.0
Enhancement View pull request
Add leader election in state_job data stream
1.9.0
Enhancement View pull request
Add missing fields
1.8.1
Bug fix View pull request
Set kubernetes.volume.fs.used.pct to scaled_float
1.8.0
Enhancement View pull request
Support json logs parsing
1.7.0
Enhancement View pull request
Add new audit logs data stream in kubernetes integration
1.6.0
Enhancement View pull request
Add skip_older option for event datastream
1.5.0
Enhancement View pull request
Revert Kubernetes namespace field breaking change
1.4.2
Enhancement View pull request
Add dimension fields
1.4.1
Enhancement View pull request
Remove overriding of index pattern on the Kubernetes overview dashboard
1.4.0
Enhancement View pull request
Use filestream input for container_logs data stream
1.3.3
Bug fix View pull request
Fix conditions of data_streams that are based on k8s labels & add condition in pipelines
1.3.2
Enhancement View pull request
Set default host for proxy to localhost
1.3.1
Enhancement View pull request
Uniform with guidelines
1.3.0
Enhancement View pull request
Add container_logs ecs fields
1.2.1
Bug fix View pull request
Update Kubernetes cluster_ip field type
1.2.0
Enhancement View pull request
Update Kubernetes namespace field
1.1.1
Bug fix View pull request
Update Kubernetes integration Readme
1.1.0
Enhancement View pull request
Update to ECS 1.12.0
1.0.0
Enhancement View pull request
Release Kubernetes as GA
0.14.1
Enhancement View pull request
Update default host in kubernetes proxy data stream in kubernetes integration
0.14.0
Enhancement View pull request
Add new container logs data stream in kubernetes integration
0.13.0
Enhancement View pull request
Leverage dynamic kubernetes provider for controller and scheduler datastream
0.12.2
Bug fix View pull request
Add missing field "kubernetes.daemonset.name" field for pod and container data streams
0.12.1
Bug fix View pull request
Add missing cluster filter for "orchestrator.cluster.name" field in [Metrics Kubernetes] Overview dashboard and Dashboard section in the integration overview page
0.12.0
Enhancement View pull request
Update kubernetes package ecs fields with orchestrator.cluster.url and orchestrator.cluster.name
0.11.1
Enhancement View pull request
Escape special characters in docs
0.11.0
Enhancement View pull request
Update documentation to fit mdx spec
0.10.0
Enhancement View pull request
Update integration description
0.9.1
Bug fix View pull request
Add missing field "kubernetes.daemonset.name" field for state_pod and state_container
0.9.0
Enhancement View pull request
Enhance kubernetes package with state_job data stream
0.8.0
Enhancement View pull request
Leverage leader election in kubernetes integration
0.7.0
Enhancement View pull request
Add _meta information to Kubernetes fields
0.6.0
Enhancement View pull request
Introduce kubernetes package granularity using input_groups
0.5.3
Enhancement View pull request
Add missing field "kubernetes.statefulset.replicas.ready"
0.5.2
Bug fix View pull request
Fix stack compatability
0.5.1
Bug fix View pull request
Fix references to env variables
0.5.0
Enhancement View pull request
Add missing field "kubernetes.selectors.*" and extra https settings for controllermanager and scheduler datastreams
0.4.5
Enhancement View pull request
Add missing field "kubernetes.pod.ip"
0.4.4
Enhancement View pull request
Updating package owner
0.4.3
Bug fix View pull request
Correct sample event file.
0.4.2
Bug fix View pull request
Change kibana.version constraint to be more conservative.
0.4.1
Enhancement View pull request
Add missing fields
0.1.0
Enhancement View pull request
initial release