AKS logs integration and monitoring

[Gokul Suresh]

Hi team,

I have a task to monitor AKS logs. In another conversation I got this link as a method to monitor AKS logs.

https://advishnuprasad.medium.com/setting-up-kubernetes-webhooks-in-production-b5b3a8c7990c

In this we have the information regarding creating webhook listener but it does not have anything mentioned about AKS. Also in the conversation it mentioned that this integration includes Wazuh agent , but in the provided link they have not mentioned about Wazuh agent.

When I checked about logs from AKS I came to know that the logs from AKS need to be enabled through diagnostic setting which can be forwarded to Log analytics workspace/ storage account. So I would like to know whether it is a mandatory thing to be done since it incur additional cost. Is this required for webhook based integration which has been suggested in the above given conversation.

 Wazuh have integration document for Log Analytics API and storage account, so integration through webhook is a best choice? or others?.

https://documentation.wazuh.com/current/cloud-security/azure/log-analytics.html

https://documentation.wazuh.com/current/cloud-security/azure/storage.html

Please guide me to finalize the integration method and steps.

[Stuti Gupta]

Hi, Gokul 

For AKS, logs are usually collected by enabling diagnostic settings in Azure, which forward logs to either Log Analytics or a Storage Account.. Yes, enabling these diagnostics can lead to extra costs, but it's the standard and supported method in Azure for collecting AKS logs. 
To export the logs, you can refer to  Refer to https://learn.microsoft.com/en-us/answers/questions/1329357/what-are-the-ways-i-can-see-aks-logs-which-is-expo

The webhook method may still require enabling diagnostic logs, so the cost might still apply. Also, webhook setups are more manual, and you need to configure them very carefully to collect all the AKS events 

Since Wazuh already provides integrations for both Log Analytics and Storage Accounts (see links below), it’s a better and reliable approach compared to using custom webhooks. You can send AKS logs to a storage account or Log Analytics workspace, and then collect them using the Azure module in Wazuh.

Wazuh Log Analytics integration:
https://documentation.wazuh.com/current/cloud-security/azure/log-analytics.html

Wazuh Storage integration:
https://documentation.wazuh.com/current/cloud-security/azure/storage.html

Using one of these methods is usually recommended for monitoring AKS with Wazuh.

[Gokul Suresh]

Thank you Stuti for your reply.
So I think integration using Log analytics workspace is a good option to get this done.
I would like to know one more thing-
In the perspective of Wazuh monitoring AKS logs, there are different kinds of logs from AKS.
What are the  logs from AKS that need to be monitored.

[Stuti Gupta]

Hi Gokul, when monitoring AKS with Wazuh, the most important logs to look at are the ones that give you visibility into security and system activity.

Start with the audit logs, which show who accessed what and when, which is critical for spotting any suspicious behavior.
Then, keep an eye on control plane logs like those from the scheduler, controller manager, and cloud controller, as they help you understand how the cluster is behaving internally. 

Refer to https://www.apptio.com/topics/kubernetes/monitoring/aks/