AKS logs monitoring
Gokul Suresh
I need to integrate AKS with wazuh.
So which is the best way to get this done.
Nicolas Zapata
One viable approach for integrating AKS with Wazuh is to deploy a container within their Kubernetes cluster that includes both the Wazuh agent and the webhook listener script. This container can be deployed as a pod, and the Wazuh agent inside it can be registered with their existing Wazuh environment.
This setup allows to centralize functionality—running the agent and the custom webhook logic together—while maintaining control over the deployment via Kubernetes. It’s particularly useful when the webhook listener is used to capture events or external alerts and forward them to the Wazuh agent for processing.
https://advishnuprasad.medium.com/setting-up-kubernetes-webhooks-in-production-b5b3a8c7990c
Gokul Suresh
Hi Nicolas,
Sorry for the late reply.
I have gone through the link you have provided.
https://advishnuprasad.medium.com/setting-up-kubernetes-webhooks-in-production-b5b3a8c7990c
In this we have the information regarding creating webhook listener but it does not have anything mentioned about AKS. Also you have mentioned that this integration includes Wazuh agent , but in the provided link they have not mentioned about Wazuh agent.
When I checked about logs from AKS I came to know that the logs from AKS need to be enabled through diagnostic setting which can be forwarded to Log analytics workspace/ storage account. So I would like to know whether it is a mandatory thing to be done since it incur additional cost. Is this required for webhook based integration which you have suggested? if so,
Wazuh have integration document for Log Analytics API and storage account, so integration through webhook is a best choice? or others?.
https://documentation.wazuh.com/current/cloud-security/azure/log-analytics.html
https://documentation.wazuh.com/current/cloud-security/azure/storage.html
Please guide me to finalize the integration method and steps.
Nicolas Zapata
Thanks for your patience and for sharing your concerns.
For AKS, logs are generally collected by enabling diagnostic settings in Azure. These logs can be forwarded to either a Log Analytics workspace or a Storage Account. You can find more information about AKS log collection in the following Microsoft thread:
https://learn.microsoft.com/en-us/answers/questions/1329357/what-are-the-ways-i-can-see-aks-logs-which-is-expo
Wazuh provides official integrations for both Log Analytics and Storage Accounts, which makes these methods more reliable and easier to maintain than using a custom webhook listener. Logs forwarded to these services can then be collected and analyzed by Wazuh using the Azure module.
-
Log Analytics integration:
https://documentation.wazuh.com/current/cloud-security/azure/log-analytics.html -
Storage Account integration:
https://documentation.wazuh.com/current/cloud-security/azure/storage.html
Considering the cost and complexity of a custom webhook approach, we recommend using the official integrations unless there is a specific use case that requires otherwise.
Let us know if you need further guidance.
Best regards