Audit prerequisites
Auditing can be enabled with a prerequisite of supported services available in the cluster:
Fluentd configuration
Add HTTP input plugin
You first have to add the HTTP input plugin to the fluent.conf
file to retrieve records from HTTP POST
<source> @type http bind 0.0.0.0 body_size_limit 32m keepalive_timeout 10s <transport tls> ca_path /etc/pki/ca.pem cert_path /etc/pki/cert.pem private_key_path /etc/pki/key.pem private_key_passphrase PASSPHRASE </transport> </source>
An API binding secret
k5-auditlog-settings
needs to be created in the namespace with this service URLThe path in the above URL is used to create the tag for the log event and can be used to filter logs
Add ElasticSearch plugin
You also need to add the plugin to fluentd.conf
for transferring logs data to elasticsearch
Add ElasticSearch plugin to Fluentd
<match tag.here> @type elasticsearch logstash_format true host <hostname> #(optional; default="localhost") port <port> #(optional; default=9200) index_name <index name> #(optional; default=fluentd) type_name <type name> #(optional; default=fluentd) </match>
Add the above plugin in fluent.conf to enable fluentd to send all logs with tag tag.here
to the elasticsearch instance configured.
Note: Make sure that a Fluentd service is available in the cluster before enabling audit.