Azure AKS Audit logs view

1
votes

i follow this instructions in order to get AKS audit logs.

https://docs.microsoft.com/en-us/azure/aks/view-master-logs

i cant find some basic fields such as stage,level,username..

how can i see the "k8s audit" with the full log?

AKS audit logs

1
auditazure-aks

1 Answers

1
votes

Here is an example query to get started. It expands the log_s field and removes some of the noise to try and give just logs for when a user has modified a resource in Kubernetes. The requestURI and requestObject fields will give you the most info about what the user was doing.

AzureDiagnostics
| where Category == "kube-audit"
| extend log_j=parse_json(log_s) 
| extend requestURI=log_j.requestURI 
| extend verb=log_j.verb 
| extend username=log_j.user.username
| extend requestObject = parse_json(log_j.requestObject)
| where verb !in ("get", "list", "watch", "")
| where username !in ("aksService", "masterclient", "nodeclient")
| where username !startswith "system:serviceaccount:kube-system"
| where requestURI startswith "/api/"
| where requestURI !startswith "/api/v1/nodes/"
| where requestURI !startswith "/api/v1/namespaces/kube-system/"
| where requestURI !startswith "/api/v1/namespaces/ingress-basic/"