A Kubernetes cluster must be running on your
system.
Create a copy of the Kubernetes audit policy file.
If you are using the Container or the Kubernetes content extensions,
you need the JSA audit policy file.
Make sure that rsyslog is installed and running on your system.
To collect all events from Kubernetes Auditing, you must specify JSA as the syslog server.
- Use SSH to log in to your Kubernetes Auditing console.
- In the /etc/Kubernetes/maifests/kube-apiserver.yaml file, define the audit-policyfile and audit-log-path parameters.
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
...
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml
- --audit-log-path=/var/log/apiserver/audit.log
...
- Configure the rsyslog /etc/rsyslog.conf file to forward events that are logged in the
audit.log file to JSA.#### MODULES ####
…
$ModLoad imfile
# ### begin forwarding rule ###
$InputFileName /var/log/apiserver/audit.log
$InputFileSeverity notice
$InputFileFacility local0
$InputRunFileMonitor
local0.* @@QRADAR_EVENT_COLLECTOR_IP:514
- Restart rsyslog by typing the following command:
