Ship Rancher API Audit Logs from AKS clusters
Posted in kubernetes on October 24, 2024 by Adrian Wyssmann ‐ 3 min read
As reader of my blog you know we are using Rancher logging app. While we migrated the Rancher (Upstream) cluster from RKE to AKS, we cannot use the built in log collection and shipping for audit logs.
As reader of my blog you know we are using Rancher logging app. While we migrated the Rancher (Upstream) cluster from RKE to AKS, we cannot use the built in log collection and shipping for audit logs.
According to Enabling the API Audit Log to Record System Events - a guide on how to enable audit logs - we find the information as of today is a bit misleading. We have enabled audit logging in the helm chart as follows.
According to the documentation we should see a sidecar - which is not the case.
Enabling the API Audit Log with the Helm chart install will create a rancher-audit-log sidecar container in the Rancher pod
Important
This is not about the kube-api audit logs but the ones generated by Rancher.
When having managed cluster there are is no visibility over the control plan hence no access do the kube-api audit logs.
You actually can achieve this by using hosttailer, which tail logs from the node’s host filesyste. As we have hostPath: /var/log/rancher/audit/
we only need to name of the log file, which is rancher-api-audit.log
. Hence our hosttailer looks like this:
Then we only need a ClusterFlow which gets the logs from the hosttailer:
At last we have to use ClusterOutput which does care about the shipping:
That’s it, now we also can see the api audit logs in out external logging system. However there is one more thing: You might alraady forward the other logs, but you might want to send the audit logs not to the same place. With the current setup audit logs are now made visible and also picked up by other ClusterFlow. We added the following exludes to the main ClusterFlow, in order to exclude audit logs:
Here the complete ClusterFlow: