New

The executive guide to generative AI

Read more
About usPartnersSupport|Login
« kube-apiserver container-logs »
Elastic Docs Elastic integrations Kubernetes

audit-logs

edit

audit-logs

edit

Version

1.80.2 (View all)

Compatible Kibana version(s)

8.15.0 or higher
9.0.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

audit-logs integration collects and parses Kubernetes audit logs.

It requires access to the log files on each Kubernetes node where the audit logs are stored. This defaults to /var/log/kubernetes/kube-apiserver-audit.log.

Example

An example event for audit looks as following:

{
    "kubernetes": {
        "audit": {
            "auditID": "bcacfeaa-5ab5-48de-8bac-3a87d1474b6a",
            "requestReceivedTimestamp": "2022-08-31T08:09:39.660940Z",
            "level": "RequestResponse",
            "kind": "Event",
            "verb": "get",
            "annotations": {
                "authorization_k8s_io/decision": "allow",
                "authorization_k8s_io/reason": "RBAC: allowed by ClusterRoleBinding \"system:public-info-viewer\" of ClusterRole \"system:public-info-viewer\" to Group \"system:unauthenticated\""
            },
            "userAgent": "kube-probe/1.24",
            "requestURI": "/readyz",
            "responseStatus": {
                "metadata": {},
                "code": 200
            },
            "stageTimestamp": "2022-08-31T08:09:39.662241Z",
            "sourceIPs": [
                "172.18.0.2"
            ],
            "apiVersion": "audit.k8s.io/v1",
            "stage": "ResponseComplete",
            "user": {
                "groups": [
                    "system:unauthenticated"
                ],
                "username": "system:anonymous"
            }
        }
    },
    "input": {
        "type": "filestream"
    },
    "agent": {
        "name": "kind-control-plane",
        "id": "6e730a0c-7da5-48ff-b4c9-f6c63844975d",
        "type": "filebeat",
        "ephemeral_id": "d27511c8-9cd1-402c-8b1b-234abbd9dcae",
        "version": "8.4.0"
    },
    "@timestamp": "2022-08-31T08:09:57.520Z",
    "ecs": {
        "version": "8.0.0"
    },
    "log": {
        "file": {
            "path": "/var/log/kubernetes/kube-apiserver-audit-1.log"
        },
        "offset": 20995
    },
    "data_stream": {
        "namespace": "default",
        "type": "logs",
        "dataset": "kubernetes.audit_logs"
    },
    "elastic_agent": {
        "id": "6e730a0c-7da5-48ff-b4c9-f6c63844975d",
        "version": "8.4.0",
        "snapshot": false
    },
    "event": {
        "agent_id_status": "verified",
        "ingested": "2022-08-31T08:09:58Z",
        "dataset": "kubernetes.audit_logs"
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

agent.ephemeral_id

Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but agent.id does not.

keyword

agent.id

Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.

keyword

agent.name

Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.

keyword

agent.type

Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.

keyword

agent.version

Version of the agent.

keyword

client.ip

IP address of the client (IPv4 or IPv6).

ip

cloud.account.id

The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.

keyword

cloud.availability_zone

Availability zone in which this host, resource, or service is located.

keyword

cloud.image.id

Image ID for the cloud instance.

keyword

cloud.instance.id

Instance ID of the host machine.

keyword

cloud.instance.name

Instance name of the host machine.

keyword

cloud.machine.type

Machine type of the host machine.

keyword

cloud.project.id

The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.

keyword

cloud.provider

Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.

keyword

cloud.region

Region in which this host, resource, or service is located.

keyword

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

ecs.version

ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.

keyword

error.message

Error message.

match_only_text

event.action

The action captured by the event. This describes the information in the event. It is more specific than event.category. Examples are group-add, process-started, file-created. The value is normally defined by the implementer.

keyword

event.dataset

Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.

keyword

event.ingested

Timestamp when an event arrived in the central data store. This is different from @timestamp, which is when the event originally occurred. It’s also different from event.created, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: @timestamp < event.created < event.ingested.

date

event.kind

This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not.

keyword

event.outcome

This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info, or any events for which an outcome does not make logical sense.

keyword

host.architecture

Operating system architecture.

keyword

host.containerized

If the host is a container.

boolean

host.domain

Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider.

keyword

host.hostname

Hostname of the host. It normally contains what the hostname command returns on the host machine.

keyword

host.id

Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.

keyword

host.ip

Host ip addresses.

ip

host.mac

Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

keyword

host.name

Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.

keyword

host.os.build

OS build information.

keyword

host.os.codename

OS codename, if any.

keyword

host.os.family

OS family (such as redhat, debian, freebsd, windows).

keyword

host.os.kernel

Operating system kernel version as a raw string.

keyword

host.os.name

Operating system name, without the version.

keyword

host.os.name.text

Multi-field of host.os.name.

match_only_text

host.os.platform

Operating system platform (such centos, ubuntu, windows).

keyword

host.os.version

Operating system version as a raw string.

keyword

host.type

Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.

keyword

input.type

Type of input.

keyword

kubernetes.audit.annotations.authorization_k8s_io/decision

keyword

kubernetes.audit.annotations.authorization_k8s_io/reason

text

kubernetes.audit.annotations.pod-security_kubernetes_io/audit-violations

text

kubernetes.audit.apiVersion

Audit event api version

keyword

kubernetes.audit.auditID

Unique audit ID, generated for each request

keyword

kubernetes.audit.impersonatedUser.extra.*

Any additional information provided by the authenticator

object

kubernetes.audit.impersonatedUser.groups

The names of groups this user is a part of

keyword

kubernetes.audit.impersonatedUser.uid

A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs

keyword

kubernetes.audit.impersonatedUser.username

The name that uniquely identifies this user among all active users

keyword

kubernetes.audit.kind

Kind of the audit event

keyword

kubernetes.audit.level

AuditLevel at which event was generated

keyword

kubernetes.audit.objectRef.apiGroup

The name of the API group that contains the referred object. The empty string represents the core API group.

keyword

kubernetes.audit.objectRef.apiVersion

The version of the API group that contains the referred object

keyword

kubernetes.audit.objectRef.name

keyword

kubernetes.audit.objectRef.namespace

keyword

kubernetes.audit.objectRef.resource

keyword

kubernetes.audit.objectRef.resourceVersion

keyword

kubernetes.audit.objectRef.subresource

keyword

kubernetes.audit.objectRef.uid

keyword

kubernetes.audit.requestObject.roleRef.name

keyword

kubernetes.audit.requestObject.rules

nested

kubernetes.audit.requestObject.spec.containers.command

text

kubernetes.audit.requestObject.spec.containers.image

keyword

kubernetes.audit.requestObject.spec.containers.name

keyword

kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation

boolean

kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add

keyword

kubernetes.audit.requestObject.spec.containers.securityContext.privileged

boolean

kubernetes.audit.requestObject.spec.containers.securityContext.procMount

keyword

kubernetes.audit.requestObject.spec.containers.securityContext.runAsGroup

integer

kubernetes.audit.requestObject.spec.containers.securityContext.runAsNonRoot

boolean

kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser

integer

kubernetes.audit.requestObject.spec.containers.securityContext.seccompProfile.type

keyword

kubernetes.audit.requestObject.spec.containers.volumeMounts

flattened

kubernetes.audit.requestObject.spec.hostIPC

boolean

kubernetes.audit.requestObject.spec.hostNetwork

boolean

kubernetes.audit.requestObject.spec.hostPID

boolean

kubernetes.audit.requestObject.spec.restartPolicy

keyword

kubernetes.audit.requestObject.spec.securityContext.runAsGroup

integer

kubernetes.audit.requestObject.spec.securityContext.runAsNonRoot

boolean

kubernetes.audit.requestObject.spec.securityContext.runAsUser

integer

kubernetes.audit.requestObject.spec.serviceAccountName

keyword

kubernetes.audit.requestObject.spec.type

keyword

kubernetes.audit.requestObject.spec.volumes.hostPath

flattened

kubernetes.audit.requestReceivedTimestamp

Time the request reached the apiserver

date

kubernetes.audit.requestURI

RequestURI is the request URI as sent by the client to a server

keyword

kubernetes.audit.responseObject.roleRef.kind

keyword

kubernetes.audit.responseObject.rules

nested

kubernetes.audit.responseObject.spec.containers.securityContext.allowPrivilegeEscalation

boolean

kubernetes.audit.responseObject.spec.containers.securityContext.privileged

boolean

kubernetes.audit.responseObject.spec.containers.securityContext.runAsUser

integer

kubernetes.audit.responseObject.spec.containers.volumeMounts

flattened

kubernetes.audit.responseObject.spec.hostIPC

boolean

kubernetes.audit.responseObject.spec.hostNetwork

boolean

kubernetes.audit.responseObject.spec.hostPID

boolean

kubernetes.audit.responseObject.spec.restartPolicy

keyword

kubernetes.audit.responseObject.spec.volumes.hostPath

flattened

kubernetes.audit.responseStatus.code

Suggested HTTP return code for this status, 0 if not set

integer

kubernetes.audit.responseStatus.message

A human-readable description of the status of this operation

text

kubernetes.audit.responseStatus.reason

A machine-readable description of why this operation is in the "Failure" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it

keyword

kubernetes.audit.responseStatus.status

Status of the operation

keyword

kubernetes.audit.sourceIPs

Source IPs, from where the request originated and intermediate proxies

text

kubernetes.audit.stage

Stage of the request handling when this event instance was generated

keyword

kubernetes.audit.stageTimestamp

Time the request reached current audit stage

date

kubernetes.audit.user.extra.*

Any additional information provided by the authenticator

object

kubernetes.audit.user.groups

The names of groups this user is a part of

keyword

kubernetes.audit.user.uid

A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs

keyword

kubernetes.audit.user.username

The name that uniquely identifies this user among all active users

keyword

kubernetes.audit.userAgent

UserAgent records the user agent string reported by the client. Note that the UserAgent is provided by the client, and must not be trusted

text

kubernetes.audit.verb

Verb is the kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method

keyword

log.file.device_id

ID of the device containing the filesystem where the file resides.

keyword

log.file.fingerprint

The sha256 fingerprint identity of the file when fingerprinting is enabled.

keyword

log.file.idxhi

The high-order part of a unique identifier that is associated with a file. (Windows-only)

keyword

log.file.idxlo

The low-order part of a unique identifier that is associated with a file. (Windows-only)

keyword

log.file.inode

Inode number of the log file.

keyword

log.file.path

Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field.

keyword

log.file.vol

The serial number of the volume that contains a file. (Windows-only)

keyword

log.offset

Offset of the entry in the log file.

long

message

For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.

match_only_text

source.ip

IP address of the source (IPv4 or IPv6).

ip

user.id

Unique identifier of the user.

keyword

user.name

Short name or login of the user.

keyword

user.name.text

Multi-field of user.name.

match_only_text

user_agent.original

Unparsed user_agent string.

keyword

user_agent.original.text

Multi-field of user_agent.original.

match_only_text

Changelog

edit
Changelog
Version Details Kibana version(s)

1.80.2

Bug fix (View pull request)
Fixed typos in ssl node descriptions in manifest.yml files.

8.15.0 or higher
9.0.0 or higher

1.80.1

Bug fix (View pull request)
Added description to ssl.certificate_authorities and ssl.verification_mode, including links to documentation.

8.15.0 or higher
9.0.0 or higher

1.80.0

Enhancement (View pull request)
Add support for Kibana 9.0.0

8.15.0 or higher
9.0.0 or higher

1.70.2

Enhancement (View pull request)
Update the container logs documentation

8.15.0 or higher

1.70.1

Bug fix (View pull request)
Fix kubernetes.pod.cpu.usage.nanocores unit

8.15.0 or higher

1.70.0

Enhancement (View pull request)
Make fingerprint configurable

8.15.0 or higher

1.69.0

Enhancement (View pull request)
Added datatype for audit log field annotations.pod-security_kubernetes_io/audit-violation

8.15.0 or higher

1.68.1

Bug fix (View pull request)
Fix Overview dashboard Kibana id

8.15.0 or higher

1.68.0

Enhancement (View pull request)
Use filestream fingerprint mode by default for container_logs datastream

8.15.0 or higher

1.67.0

Enhancement (View pull request)
Add both pod.{cpu,memory}.usage.node.pct and pod.{cpu,memory}.usage.limit.pct metrics to the Overview dashboard

8.15.0 or higher

1.66.4

Bug fix (View pull request)
Updating Cluster Overview Dashboard to use container.id as filter and replaced median functions from visualisations

8.15.0 or higher

1.66.3

Enhancement (View pull request)
Updating mapping of the field groups to keyword in kubernetes.audit_logs

8.15.0 or higher

1.66.2

Bug fix (View pull request)
Fixing missing processor block in kubernetes.audit_logs

8.15.0 or higher

1.66.1

Bug fix (View pull request)
Fixing Title in Volumes Dashboard

8.15.0 or higher

1.66.0

Enhancement (View pull request)
Adding Volume Usage per pod in Kubernetes Volume Dashboard

8.15.0 or higher

1.65.0

Enhancement (View pull request)
Add last_terminated_timestamp metric to the kubernetes.state_container datastream

8.15.0 or higher

1.64.0

Enhancement (View pull request)
Move namespace filter to the group level configuration

8.15.0 or higher

1.63.1

Bug fix (View pull request)
Fix typo in kubernetes.audit ingest pipeline

8.15.0 or higher

1.63.0

Enhancement (View pull request)
Add pod.status_reason and pod.status.ready_time fields to the state_pod datastream

8.15.0 or higher

1.62.1

Bug fix (View pull request)
Fix kubernetes.audit ingest pipeline

8.14.0 or higher

1.62.0

Enhancement (View pull request)
Add new mappings to the kubernetes.audit datastream

8.14.0 or higher

1.61.1

Bug fix (View pull request)
Remove percent unit for pod memory metrics

8.14.0 or higher

1.61.0

Enhancement (View pull request)
Remove deprecated fields and add missing status.last_terminated_reason metric

8.14.0 or higher

1.60.0

Bug fix (View pull request)
Updating Memory used vs total memory and Cores used vs total cores visualisations in Cluster Overview Dashboard

8.14.0 or higher

1.59.0

Enhancement (View pull request)
Add metadata fields to state_namespace data stream.

8.14.0 or higher

1.58.0

Enhancement (View pull request)
Migrate to format_version v3.

8.12.0 or higher

1.57.0

Enhancement (View pull request)
Container logs preserve original content based on pod annotations.

8.12.0 or higher

1.56.0

Enhancement (View pull request)
Add new fields to API server, state_node and persistent volume claim data streams.

8.12.0 or higher

1.55.1

Enhancement (View pull request)
Modify the field definitions to reference ECS.

8.11.0 or higher

1.55.0

Enhancement (View pull request)
Remove extra base fields from state data streams.

8.11.0 or higher

1.54.0

Enhancement (View pull request)
Expand condition support to remaining inputs

8.11.0 or higher

1.53.0

Enhancement (View pull request)
Update size of the metric visualizations

8.11.0 or higher

1.52.0

Enhancement (View pull request)
Add new data stream state_namespace.

8.11.0 or higher

1.51.0

Enhancement (View pull request)
Migrate Deployments dashboard visualizations to lens.

8.10.2 or higher

1.50.0

Enhancement (View pull request)
Migrate Cronjobs dashboard visualizations to lens

8.10.2 or higher

1.49.0

Enhancement (View pull request)
Migrate DaemonSets dashboard visualizations to lens.

8.10.2 or higher

1.48.0

Enhancement (View pull request)
Migrate StatefulSets dashboard visualizations to lens.

8.10.2 or higher

1.47.0

Enhancement (View pull request)
Migrate Jobs dashboard visualizations to lens.

8.10.2 or higher

1.46.0

Enhancement (View pull request)
Adapt fields for changes in file system info

8.10.1 or higher

1.45.0

Enhancement (View pull request)
Reroute container logs based on pod annotations.

8.10.0 or higher

1.44.0

Enhancement (View pull request)
Introducing kubernetes.deployment.status.* metrics

8.10.0 or higher

1.43.1

Enhancement (View pull request)
Updating index pattern for adHocDataviews for CCS use case

8.8.0 or higher

1.43.0

Enhancement (View pull request)
Expand index pattern for adHocDataviews for CCS use case

8.8.0 or higher

1.42.0

Enhancement (View pull request)
Add permissions to reroute events to logs-- for container_logs datastream

8.8.0 or higher

1.41.0

Enhancement (View pull request)
Enable time series data streams for the metrics datasets. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html

8.8.0 or higher

1.40.0

Bug fix (View pull request)
Fix system tests for kubernetes integration for k8s v1.27.0

8.8.0 or higher

1.40.0-beta.2

Bug fix (View pull request)
Fix volume dashboard.

1.40.0-beta.1

Bug fix (View pull request)
Fix proxy and scheduler visualization with missing sort field.

1.40.0-beta

Enhancement (View pull request)
Enable TSDS for metrics data_streams, except events for beta testing

1.39.0

Enhancement (View pull request)
Remove container.name as a dimension.

8.6.1 or higher

1.38.1

Enhancement (View pull request)
Switch max to last value on counter formulas and add missing sort field to proxy, controller manager and scheduler dashboard.

8.6.1 or higher

1.38.0

Enhancement (View pull request)
Fix Pod dashboard and remove some visualisations from Api Server dashboard to support TSDB migration

8.6.1 or higher

1.37.0

Enhancement (View pull request)
Update proxy, controller manager and scheduler dashboard to support TSDB.

8.6.1 or higher

1.36.0

Enhancement (View pull request)
Add container.name dimension to container data stream

8.6.1 or higher

1.35.0

Enhancement (View pull request)
Add NetworkUnavailable condition to state node

8.6.1 or higher

1.34.1

Enhancement (View pull request)
Add support for TSDB on all metric data streams except the state ones

8.6.1 or higher

1.34.0

Enhancement (View pull request)
Add support for TSDB on all state metric data streams

8.6.1 or higher

1.33.0

Enhancement (View pull request)
Add data_stream.dataset setting and custom yaml input.

8.6.1 or higher

1.32.2

Enhancement (View pull request)
Added link to docs for condition filter

8.6.1 or higher

1.32.1

Enhancement (View pull request)
Added categories and/or subcategories.

8.6.1 or higher

1.32.0

Enhancement (View pull request)
Add documentation for how to install alerts

8.6.1 or higher

1.31.2

Enhancement (View pull request)
Add system testing for state service datastream

8.6.1 or higher

1.31.1

Enhancement (View pull request)
Update controller manager, proxy and scheduler metrics and dashboards

8.6.1 or higher

1.31.0

Enhancement (View pull request)
Use datas_tream.dataset as pre filters for dashboards and remove tags

8.6.0 or higher

1.30.0

Enhancement (View pull request)
Add missing namespace_uid and namespace_labels fields

8.6.0 or higher

1.29.2

Bug fix (View pull request)
Fix function for memory node usage

8.5.0 or higher

1.29.1

Bug fix (View pull request)
Fix removed condition setting for container_logs

8.5.0 or higher

1.29.0

Bug fix (View pull request)
Remove "Control Plane" column from Node Information table

8.5.0 or higher

1.28.2

Bug fix (View pull request)
Fix Pod Memory usage panel title

8.5.0 or higher

1.28.1

Enhancement (View pull request)
Delete statefulset, job and cronjob visualizations from Cluster Overview dashboard

8.5.0 or higher

1.28.0

Enhancement (View pull request)
Adding banner for Kube-state metrics

8.5.0 or higher

1.27.1

Enhancement (View pull request)
Fix typo in cluster overview dashboard

8.5.0 or higher

1.27.0

Enhancement (View pull request)
New cluster overview dashboard

8.5.0 or higher

1.26.0

Enhancement (View pull request)
Add processors configuration option for Kubernetes data_streams

8.4.0 or higher

1.25.0

Enhancement (View pull request)
Add condition configuration option to container logs data stream

8.4.0 or higher

1.24.0

Enhancement (View pull request)
Add fields to audit logs data stream

8.4.0 or higher

1.23.1

Enhancement (View pull request)
Add missing dimension fields

8.4.0 or higher

1.23.0

Enhancement (View pull request)
Add fields to audit logs data stream

8.4.0 or higher

1.22.1

Enhancement (View pull request)
Fix overlapping fields in state_job data stream

8.4.0 or higher

1.22.0

Enhancement (View pull request)
Update apiserver and controllermanaged deprecated fields and dashboards

8.4.0 or higher

1.21.2

Bug fix (View pull request)
add container ID and pod name as part of Kubernetes Cotainer Logs filestream input

8.3.0 or higher

1.21.1

Enhancement (View pull request)
improved the wording of the link to Kubernetes documentation

8.3.0 or higher

1.21.0

Enhancement (View pull request)
Add new dashboards

8.3.0 or higher

1.20.0

Enhancement (View pull request)
Change fields type for audit_logs data_stream to use requestObject and responseObject fields of audit events. Disable dynamic mapping for audit_logs data_stream. Drop kubernetes.audit.responseObject.metadata and kubernetes.audit.requestObject.metadata

8.2.0 or higher

1.19.1

Enhancement (View pull request)
Add documentation for volume field

8.2.0 or higher

1.19.0

Enhancement (View pull request)
Add missed ecs fields

8.2.0 or higher

1.18.1

Enhancement (View pull request)
Add documentation for multi-fields

8.2.0 or higher

1.18.0

Enhancement (View pull request)
Fix k8s overview dashboard

8.2.0 or higher

1.17.3

Bug fix (View pull request)
Remove incorrectly tagged boolean dimension

7.16.0 or higher
8.0.0 or higher

1.17.2

Bug fix (View pull request)
Add missing metadata fields

7.16.0 or higher
8.0.0 or higher

1.17.1

Enhancement (View pull request)
Improve default ndjson parser configuration

1.17.0

Enhancement (View pull request)
Disable audit logs collection by default

1.16.0

Enhancement (View pull request)
Documentation improvements

1.15.0

Enhancement (View pull request)
Add ssl.certificate_authorities configuration

1.14.3

Bug fix (View pull request)
Add missing job.name and cronjob.name fields to state_container datastream

1.14.2

Bug fix (View pull request)
Add missing job.name and cronjob.name fields to container related datastreams

1.14.1

Bug fix (View pull request)
Add missing job.name and cronjob.name fields added by metadata generators

1.14.0

Enhancement (View pull request)
Tune state_metrics settings

1.13.0

Enhancement (View pull request)
Update to ECS 8.0

1.12.0

Enhancement (View pull request)
Expose add_recourse_metadata configuration option

1.11.0

Enhancement (View pull request)
Add memory.working_set.limit.pct for pod and container data streams

1.10.0

Enhancement (View pull request)
Add leader election in state_job data stream

1.9.0

Enhancement (View pull request)
Add missing fields

7.16.0 or higher
8.0.0 or higher

1.8.1

Bug fix (View pull request)
Set kubernetes.volume.fs.used.pct to scaled_float

7.16.0 or higher
8.0.0 or higher

1.8.0

Enhancement (View pull request)
Support json logs parsing

7.16.0 or higher
8.0.0 or higher

1.7.0

Enhancement (View pull request)
Add new audit logs data stream in kubernetes integration

7.16.0 or higher
8.0.0 or higher

1.6.0

Enhancement (View pull request)
Add skip_older option for event datastream

7.16.0 or higher
8.0.0 or higher

1.5.0

Enhancement (View pull request)
Revert Kubernetes namespace field breaking change

7.16.0 or higher
8.0.0 or higher

1.4.2

Enhancement (View pull request)
Add dimension fields

1.4.1

Enhancement (View pull request)
Remove overriding of index pattern on the Kubernetes overview dashboard

8.0.0 or higher

1.4.0

Enhancement (View pull request)
Use filestream input for container_logs data stream

1.3.3

Bug fix (View pull request)
Fix conditions of data_streams that are based on k8s labels & add condition in pipelines

1.3.2

Enhancement (View pull request)
Set default host for proxy to localhost

1.3.1

Enhancement (View pull request)
Uniform with guidelines

1.3.0

Enhancement (View pull request)
Add container_logs ecs fields

1.2.1

Bug fix (View pull request)
Update Kubernetes cluster_ip field type

1.2.0

Enhancement (View pull request)
Update Kubernetes namespace field

1.1.1

Bug fix (View pull request)
Update Kubernetes integration Readme

1.1.0

Enhancement (View pull request)
Update to ECS 1.12.0

7.15.0 or higher

1.0.0

Enhancement (View pull request)
Release Kubernetes as GA

0.14.1

Enhancement (View pull request)
Update default host in kubernetes proxy data stream in kubernetes integration

0.14.0

Enhancement (View pull request)
Add new container logs data stream in kubernetes integration

0.13.0

Enhancement (View pull request)
Leverage dynamic kubernetes provider for controller and scheduler datastream

0.12.2

Bug fix (View pull request)
Add missing field "kubernetes.daemonset.name" field for pod and container data streams

0.12.1

Bug fix (View pull request)
Add missing cluster filter for "orchestrator.cluster.name" field in [Metrics Kubernetes] Overview dashboard and Dashboard section in the integration overview page

0.12.0

Enhancement (View pull request)
Update kubernetes package ecs fields with orchestrator.cluster.url and orchestrator.cluster.name

0.11.1

Enhancement (View pull request)
Escape special characters in docs

0.11.0

Enhancement (View pull request)
Update documentation to fit mdx spec

0.10.0

Enhancement (View pull request)
Update integration description

0.9.1

Bug fix (View pull request)
Add missing field "kubernetes.daemonset.name" field for state_pod and state_container

0.9.0

Enhancement (View pull request)
Enhance kubernetes package with state_job data stream

0.8.0

Enhancement (View pull request)
Leverage leader election in kubernetes integration

0.7.0

Enhancement (View pull request)
Add _meta information to Kubernetes fields

0.6.0

Enhancement (View pull request)
Introduce kubernetes package granularity using input_groups

0.5.3

Enhancement (View pull request)
Add missing field "kubernetes.statefulset.replicas.ready"

0.5.2

Bug fix (View pull request)
Fix stack compatability

0.5.1

Bug fix (View pull request)
Fix references to env variables

0.5.0

Enhancement (View pull request)
Add missing field "kubernetes.selectors.*" and extra https settings for controllermanager and scheduler datastreams

0.4.5

Enhancement (View pull request)
Add missing field "kubernetes.pod.ip"

0.4.4

Enhancement (View pull request)
Updating package owner

0.4.3

Bug fix (View pull request)
Correct sample event file.

0.4.2

Bug fix (View pull request)
Change kibana.version constraint to be more conservative.

0.4.1

Enhancement (View pull request)
Add missing fields

0.1.0

Enhancement (View pull request)
initial release

« kube-apiserver container-logs »

On this page

Was this helpful?
Feedback