audit-logs
editaudit-logs
editVersion |
1.68.1 (View all) |
Compatible Kibana version(s) |
8.15.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
audit-logs integration collects and parses Kubernetes audit logs.
It requires access to the log files on each Kubernetes node where the audit logs are stored.
This defaults to /var/log/kubernetes/kube-apiserver-audit.log
.
Example
An example event for audit
looks as following:
{ "kubernetes": { "audit": { "auditID": "bcacfeaa-5ab5-48de-8bac-3a87d1474b6a", "requestReceivedTimestamp": "2022-08-31T08:09:39.660940Z", "level": "RequestResponse", "kind": "Event", "verb": "get", "annotations": { "authorization_k8s_io/decision": "allow", "authorization_k8s_io/reason": "RBAC: allowed by ClusterRoleBinding \"system:public-info-viewer\" of ClusterRole \"system:public-info-viewer\" to Group \"system:unauthenticated\"" }, "userAgent": "kube-probe/1.24", "requestURI": "/readyz", "responseStatus": { "metadata": {}, "code": 200 }, "stageTimestamp": "2022-08-31T08:09:39.662241Z", "sourceIPs": [ "172.18.0.2" ], "apiVersion": "audit.k8s.io/v1", "stage": "ResponseComplete", "user": { "groups": [ "system:unauthenticated" ], "username": "system:anonymous" } } }, "input": { "type": "filestream" }, "agent": { "name": "kind-control-plane", "id": "6e730a0c-7da5-48ff-b4c9-f6c63844975d", "type": "filebeat", "ephemeral_id": "d27511c8-9cd1-402c-8b1b-234abbd9dcae", "version": "8.4.0" }, "@timestamp": "2022-08-31T08:09:57.520Z", "ecs": { "version": "8.0.0" }, "log": { "file": { "path": "/var/log/kubernetes/kube-apiserver-audit-1.log" }, "offset": 20995 }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "kubernetes.audit_logs" }, "elastic_agent": { "id": "6e730a0c-7da5-48ff-b4c9-f6c63844975d", "version": "8.4.0", "snapshot": false }, "event": { "agent_id_status": "verified", "ingested": "2022-08-31T08:09:58Z", "dataset": "kubernetes.audit_logs" } }
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
agent.ephemeral_id |
Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but |
keyword |
agent.id |
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. |
keyword |
agent.name |
Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. |
keyword |
agent.type |
Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. |
keyword |
agent.version |
Version of the agent. |
keyword |
client.ip |
IP address of the client (IPv4 or IPv6). |
ip |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.dataset |
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of input. |
keyword |
kubernetes.audit.annotations.authorization_k8s_io/decision |
keyword |
|
kubernetes.audit.annotations.authorization_k8s_io/reason |
text |
|
kubernetes.audit.apiVersion |
Audit event api version |
keyword |
kubernetes.audit.auditID |
Unique audit ID, generated for each request |
keyword |
kubernetes.audit.impersonatedUser.extra.* |
Any additional information provided by the authenticator |
object |
kubernetes.audit.impersonatedUser.groups |
The names of groups this user is a part of |
keyword |
kubernetes.audit.impersonatedUser.uid |
A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs |
keyword |
kubernetes.audit.impersonatedUser.username |
The name that uniquely identifies this user among all active users |
keyword |
kubernetes.audit.kind |
Kind of the audit event |
keyword |
kubernetes.audit.level |
AuditLevel at which event was generated |
keyword |
kubernetes.audit.objectRef.apiGroup |
The name of the API group that contains the referred object. The empty string represents the core API group. |
keyword |
kubernetes.audit.objectRef.apiVersion |
The version of the API group that contains the referred object |
keyword |
kubernetes.audit.objectRef.name |
keyword |
|
kubernetes.audit.objectRef.namespace |
keyword |
|
kubernetes.audit.objectRef.resource |
keyword |
|
kubernetes.audit.objectRef.resourceVersion |
keyword |
|
kubernetes.audit.objectRef.subresource |
keyword |
|
kubernetes.audit.objectRef.uid |
keyword |
|
kubernetes.audit.requestObject.roleRef.name |
keyword |
|
kubernetes.audit.requestObject.rules |
nested |
|
kubernetes.audit.requestObject.spec.containers.command |
text |
|
kubernetes.audit.requestObject.spec.containers.image |
keyword |
|
kubernetes.audit.requestObject.spec.containers.name |
keyword |
|
kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation |
boolean |
|
kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add |
keyword |
|
kubernetes.audit.requestObject.spec.containers.securityContext.privileged |
boolean |
|
kubernetes.audit.requestObject.spec.containers.securityContext.procMount |
keyword |
|
kubernetes.audit.requestObject.spec.containers.securityContext.runAsGroup |
integer |
|
kubernetes.audit.requestObject.spec.containers.securityContext.runAsNonRoot |
boolean |
|
kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser |
integer |
|
kubernetes.audit.requestObject.spec.containers.securityContext.seccompProfile.type |
keyword |
|
kubernetes.audit.requestObject.spec.containers.volumeMounts |
flattened |
|
kubernetes.audit.requestObject.spec.hostIPC |
boolean |
|
kubernetes.audit.requestObject.spec.hostNetwork |
boolean |
|
kubernetes.audit.requestObject.spec.hostPID |
boolean |
|
kubernetes.audit.requestObject.spec.restartPolicy |
keyword |
|
kubernetes.audit.requestObject.spec.securityContext.runAsGroup |
integer |
|
kubernetes.audit.requestObject.spec.securityContext.runAsNonRoot |
boolean |
|
kubernetes.audit.requestObject.spec.securityContext.runAsUser |
integer |
|
kubernetes.audit.requestObject.spec.serviceAccountName |
keyword |
|
kubernetes.audit.requestObject.spec.type |
keyword |
|
kubernetes.audit.requestObject.spec.volumes.hostPath |
flattened |
|
kubernetes.audit.requestReceivedTimestamp |
Time the request reached the apiserver |
date |
kubernetes.audit.requestURI |
RequestURI is the request URI as sent by the client to a server |
keyword |
kubernetes.audit.responseObject.roleRef.kind |
keyword |
|
kubernetes.audit.responseObject.rules |
nested |
|
kubernetes.audit.responseObject.spec.containers.securityContext.allowPrivilegeEscalation |
boolean |
|
kubernetes.audit.responseObject.spec.containers.securityContext.privileged |
boolean |
|
kubernetes.audit.responseObject.spec.containers.securityContext.runAsUser |
integer |
|
kubernetes.audit.responseObject.spec.containers.volumeMounts |
flattened |
|
kubernetes.audit.responseObject.spec.hostIPC |
boolean |
|
kubernetes.audit.responseObject.spec.hostNetwork |
boolean |
|
kubernetes.audit.responseObject.spec.hostPID |
boolean |
|
kubernetes.audit.responseObject.spec.restartPolicy |
keyword |
|
kubernetes.audit.responseObject.spec.volumes.hostPath |
flattened |
|
kubernetes.audit.responseStatus.code |
Suggested HTTP return code for this status, 0 if not set |
integer |
kubernetes.audit.responseStatus.message |
A human-readable description of the status of this operation |
text |
kubernetes.audit.responseStatus.reason |
A machine-readable description of why this operation is in the "Failure" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it |
keyword |
kubernetes.audit.responseStatus.status |
Status of the operation |
keyword |
kubernetes.audit.sourceIPs |
Source IPs, from where the request originated and intermediate proxies |
text |
kubernetes.audit.stage |
Stage of the request handling when this event instance was generated |
keyword |
kubernetes.audit.stageTimestamp |
Time the request reached current audit stage |
date |
kubernetes.audit.user.extra.* |
Any additional information provided by the authenticator |
object |
kubernetes.audit.user.groups |
The names of groups this user is a part of |
keyword |
kubernetes.audit.user.uid |
A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs |
keyword |
kubernetes.audit.user.username |
The name that uniquely identifies this user among all active users |
keyword |
kubernetes.audit.userAgent |
UserAgent records the user agent string reported by the client. Note that the UserAgent is provided by the client, and must not be trusted |
text |
kubernetes.audit.verb |
Verb is the kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method |
keyword |
log.file.device_id |
ID of the device containing the filesystem where the file resides. |
keyword |
log.file.fingerprint |
The sha256 fingerprint identity of the file when fingerprinting is enabled. |
keyword |
log.file.idxhi |
The high-order part of a unique identifier that is associated with a file. (Windows-only) |
keyword |
log.file.idxlo |
The low-order part of a unique identifier that is associated with a file. (Windows-only) |
keyword |
log.file.inode |
Inode number of the log file. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.file.vol |
The serial number of the volume that contains a file. (Windows-only) |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
message |
For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. |
match_only_text |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
user.id |
Unique identifier of the user. |
keyword |
user.name |
Short name or login of the user. |
keyword |
user.name.text |
Multi-field of |
match_only_text |
user_agent.original |
Unparsed user_agent string. |
keyword |
user_agent.original.text |
Multi-field of |
match_only_text |
Changelog
editChangelog
Version | Details | Kibana version(s) |
---|---|---|
1.68.1 |
Bug fix (View pull request) |
8.15.0 or higher |
1.68.0 |
Enhancement (View pull request) |
8.15.0 or higher |
1.67.0 |
Enhancement (View pull request) |
8.15.0 or higher |
1.66.4 |
Bug fix (View pull request) |
8.15.0 or higher |
1.66.3 |
Enhancement (View pull request) |
8.15.0 or higher |
1.66.2 |
Bug fix (View pull request) |
8.15.0 or higher |
1.66.1 |
Bug fix (View pull request) |
8.15.0 or higher |
1.66.0 |
Enhancement (View pull request) |
8.15.0 or higher |
1.65.0 |
Enhancement (View pull request) |
8.15.0 or higher |
1.64.0 |
Enhancement (View pull request) |
8.15.0 or higher |
1.63.1 |
Bug fix (View pull request) |
8.15.0 or higher |
1.63.0 |
Enhancement (View pull request) |
8.15.0 or higher |
1.62.1 |
Bug fix (View pull request) |
8.14.0 or higher |
1.62.0 |
Enhancement (View pull request) |
8.14.0 or higher |
1.61.1 |
Bug fix (View pull request) |
8.14.0 or higher |
1.61.0 |
Enhancement (View pull request) |
8.14.0 or higher |
1.60.0 |
Bug fix (View pull request) |
8.14.0 or higher |
1.59.0 |
Enhancement (View pull request) |
8.14.0 or higher |
1.58.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.57.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.56.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.55.1 |
Enhancement (View pull request) |
8.11.0 or higher |
1.55.0 |
Enhancement (View pull request) |
8.11.0 or higher |
1.54.0 |
Enhancement (View pull request) |
8.11.0 or higher |
1.53.0 |
Enhancement (View pull request) |
8.11.0 or higher |
1.52.0 |
Enhancement (View pull request) |
8.11.0 or higher |
1.51.0 |
Enhancement (View pull request) |
8.10.2 or higher |
1.50.0 |
Enhancement (View pull request) |
8.10.2 or higher |
1.49.0 |
Enhancement (View pull request) |
8.10.2 or higher |
1.48.0 |
Enhancement (View pull request) |
8.10.2 or higher |
1.47.0 |
Enhancement (View pull request) |
8.10.2 or higher |
1.46.0 |
Enhancement (View pull request) |
8.10.1 or higher |
1.45.0 |
Enhancement (View pull request) |
8.10.0 or higher |
1.44.0 |
Enhancement (View pull request) |
8.10.0 or higher |
1.43.1 |
Enhancement (View pull request) |
8.8.0 or higher |
1.43.0 |
Enhancement (View pull request) |
8.8.0 or higher |
1.42.0 |
Enhancement (View pull request) |
8.8.0 or higher |
1.41.0 |
Enhancement (View pull request) |
8.8.0 or higher |
1.40.0 |
Bug fix (View pull request) |
8.8.0 or higher |
1.40.0-beta.2 |
Bug fix (View pull request) |
— |
1.40.0-beta.1 |
Bug fix (View pull request) |
— |
1.40.0-beta |
Enhancement (View pull request) |
— |
1.39.0 |
Enhancement (View pull request) |
8.6.1 or higher |
1.38.1 |
Enhancement (View pull request) |
8.6.1 or higher |
1.38.0 |
Enhancement (View pull request) |
8.6.1 or higher |
1.37.0 |
Enhancement (View pull request) |
8.6.1 or higher |
1.36.0 |
Enhancement (View pull request) |
8.6.1 or higher |
1.35.0 |
Enhancement (View pull request) |
8.6.1 or higher |
1.34.1 |
Enhancement (View pull request) |
8.6.1 or higher |
1.34.0 |
Enhancement (View pull request) |
8.6.1 or higher |
1.33.0 |
Enhancement (View pull request) |
8.6.1 or higher |
1.32.2 |
Enhancement (View pull request) |
8.6.1 or higher |
1.32.1 |
Enhancement (View pull request) |
8.6.1 or higher |
1.32.0 |
Enhancement (View pull request) |
8.6.1 or higher |
1.31.2 |
Enhancement (View pull request) |
8.6.1 or higher |
1.31.1 |
Enhancement (View pull request) |
8.6.1 or higher |
1.31.0 |
Enhancement (View pull request) |
8.6.0 or higher |
1.30.0 |
Enhancement (View pull request) |
8.6.0 or higher |
1.29.2 |
Bug fix (View pull request) |
8.5.0 or higher |
1.29.1 |
Bug fix (View pull request) |
8.5.0 or higher |
1.29.0 |
Bug fix (View pull request) |
8.5.0 or higher |
1.28.2 |
Bug fix (View pull request) |
8.5.0 or higher |
1.28.1 |
Enhancement (View pull request) |
8.5.0 or higher |
1.28.0 |
Enhancement (View pull request) |
8.5.0 or higher |
1.27.1 |
Enhancement (View pull request) |
8.5.0 or higher |
1.27.0 |
Enhancement (View pull request) |
8.5.0 or higher |
1.26.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.25.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.24.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.23.1 |
Enhancement (View pull request) |
8.4.0 or higher |
1.23.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.22.1 |
Enhancement (View pull request) |
8.4.0 or higher |
1.22.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.21.2 |
Bug fix (View pull request) |
8.3.0 or higher |
1.21.1 |
Enhancement (View pull request) |
8.3.0 or higher |
1.21.0 |
Enhancement (View pull request) |
8.3.0 or higher |
1.20.0 |
Enhancement (View pull request) |
8.2.0 or higher |
1.19.1 |
Enhancement (View pull request) |
8.2.0 or higher |
1.19.0 |
Enhancement (View pull request) |
8.2.0 or higher |
1.18.1 |
Enhancement (View pull request) |
8.2.0 or higher |
1.18.0 |
Enhancement (View pull request) |
8.2.0 or higher |
1.17.3 |
Bug fix (View pull request) |
7.16.0 or higher |
1.17.2 |
Bug fix (View pull request) |
7.16.0 or higher |
1.17.1 |
Enhancement (View pull request) |
— |
1.17.0 |
Enhancement (View pull request) |
— |
1.16.0 |
Enhancement (View pull request) |
— |
1.15.0 |
Enhancement (View pull request) |
— |
1.14.3 |
Bug fix (View pull request) |
— |
1.14.2 |
Bug fix (View pull request) |
— |
1.14.1 |
Bug fix (View pull request) |
— |
1.14.0 |
Enhancement (View pull request) |
— |
1.13.0 |
Enhancement (View pull request) |
— |
1.12.0 |
Enhancement (View pull request) |
— |
1.11.0 |
Enhancement (View pull request) |
— |
1.10.0 |
Enhancement (View pull request) |
— |
1.9.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.8.1 |
Bug fix (View pull request) |
7.16.0 or higher |
1.8.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.7.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.6.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.5.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.4.2 |
Enhancement (View pull request) |
— |
1.4.1 |
Enhancement (View pull request) |
8.0.0 or higher |
1.4.0 |
Enhancement (View pull request) |
— |
1.3.3 |
Bug fix (View pull request) |
— |
1.3.2 |
Enhancement (View pull request) |
— |
1.3.1 |
Enhancement (View pull request) |
— |
1.3.0 |
Enhancement (View pull request) |
— |
1.2.1 |
Bug fix (View pull request) |
— |
1.2.0 |
Enhancement (View pull request) |
— |
1.1.1 |
Bug fix (View pull request) |
— |
1.1.0 |
Enhancement (View pull request) |
7.15.0 or higher |
1.0.0 |
Enhancement (View pull request) |
— |
0.14.1 |
Enhancement (View pull request) |
— |
0.14.0 |
Enhancement (View pull request) |
— |
0.13.0 |
Enhancement (View pull request) |
— |
0.12.2 |
Bug fix (View pull request) |
— |
0.12.1 |
Bug fix (View pull request) |
— |
0.12.0 |
Enhancement (View pull request) |
— |
0.11.1 |
Enhancement (View pull request) |
— |
0.11.0 |
Enhancement (View pull request) |
— |
0.10.0 |
Enhancement (View pull request) |
— |
0.9.1 |
Bug fix (View pull request) |
— |
0.9.0 |
Enhancement (View pull request) |
— |
0.8.0 |
Enhancement (View pull request) |
— |
0.7.0 |
Enhancement (View pull request) |
— |
0.6.0 |
Enhancement (View pull request) |
— |
0.5.3 |
Enhancement (View pull request) |
— |
0.5.2 |
Bug fix (View pull request) |
— |
0.5.1 |
Bug fix (View pull request) |
— |
0.5.0 |
Enhancement (View pull request) |
— |
0.4.5 |
Enhancement (View pull request) |
— |
0.4.4 |
Enhancement (View pull request) |
— |
0.4.3 |
Bug fix (View pull request) |
— |
0.4.2 |
Bug fix (View pull request) |
— |
0.4.1 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |