Kubernetes Audit Logs
Kubernetes Audit Logs provide a detailed record of events and API calls made within a Kubernetes cluster. These logs capture information such as who made a request, the resources accessed or modified, and the outcome of the request. Kubernetes audit logs are essential for tracking cluster activity, monitoring user actions, ensuring security compliance, and investigating potential security incidents or misconfigurations within the cluster.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
If using an AWS S3 bucket, use the following SNS topic ARN to send your bucket notifications.
SNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.
Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.
Setup
Getting your logs into a storage account can be accomplished using something like Fluentd or a similar method. The expectation though is that the logs are line delimited json.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: kubernetes_audit_logs (69 columns)
kubernetes_audit_logs (69 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
readOnly | Bool |
rawLog | String |
| Column | Type |
|---|---|
date | DateTime |
stream | String |
time | DateTime |
kind | String |
apiVersion | String |
level | String |
auditID | String |
stage | String |
requestURI | String |
verb | String |
user.username | String |
user.groups | Array(String) |
sourceIPs | Array(String) |
userAgent | String |
objectRef.resource | String |
objectRef.namespace | String |
objectRef.name | String |
objectRef.apiVersion | String |
responseStatus.metadata | String |
responseStatus.code | Int64 |
requestReceivedTimestamp | String |
stageTimestamp | String |
annotations.authorization.k8s.io.decision | String |
annotations.authorization.k8s.io.reason | String |
kubernetes.pod_name | String |
kubernetes.namespace_name | String |
kubernetes.pod_id | String |
kubernetes.labels.component | String |
kubernetes.labels.tier | String |
kubernetes.host | String |
kubernetes.container_name | String |
kubernetes.docker_id | String |
kubernetes.container_hash | String |
kubernetes.container_image | String |