Kubernetes audit logs in Loki

[peter schulten]

Hi all,

Thanks for Loki!

I'd like to read my kube-audit logs in Loki, but I didn't find an example anywhere. Has this already been done by someone?

The Problems is that an audit log line consists of nested json (https://jsonlines.org/)

I think the parser (https://github.com/jmespath/go-jmespath) could handle it, but I'm too stupid finding the proper config :)

Having the Kubernetes audits in Loki would be awesome and I guess a lot of people would benefit.

Is it possible? Could anyone provide an example?

Thanks,

Peter

--

Laws - the good people don't need them and the bad people don't obey them, so what good are they?

[peter schulten]

Sorry, figured it out. Maybe this is helpful for anyone:

  - job_name: audit

    pipeline_stages:

      - tenant:

          value: system

      - json:

          expressions:

            user: user.username

            verb: verb

            uri: requestURI

            ip : sourceIPs[0]

            agent: userAgent

            resource: objectRef.resource

            namespace: objectRef.namespace

            name: objectRef.name

            code: responseStatus.code

            annotations: annotations

      - template:

          source: template

          template: 'verb={{ .verb }} resource={{ .resource }} response_code={{ .code }} user={{ .user }} ip={{ .ip }} namespace={{ .namespace }} name= {{ .name }} uri={{ .uri }} agent={{ .agent }} decision={{ .annotations }}'

      - output:

          source: template

    static_configs:

      - targets:

          - localhost

        labels:

          job: audit

          __path__: /var/log/kube-audit*