Kubernetes Auditing Sample Event Message

Use this sample event message as a way of verifying a successful integration with JSA.

The following table provides a sample event message when you use the Syslog protocol for the Kubernetes Auditing DSM.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Table 1: Kubernetes Auditing Sample Message Supported by the Kubernetes Auditing DSM
Event name	Low level category	Sample log message
Read the specified endpoints	Read Activity Succeeded	<133>Oct 21 10:37:55 test.example.com k8s-audit: {"kind":"Event","apiVersion": "audit.k8s.io/ v1","level":"RequestResponse","auditID":"d30b40b8-4f6a-4219-9828- a7f732518541", "stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/ endpoints/kubernetes", "verb":"get","user":{"username":"system:apiserver","uid":"0f440c21- a1c6-4ec3-84a4-50cd5dee2eb7", "groups":["system:masters"]},"sourceIPs":["::1"],"userAgent":"kubeapiserver/ v1.15.2 (linux/amd64) kubernetes/f627830","objectRef": {"resource":"endpoints","namespace":"default","name":"kubernetes", "apiVersion":"v1"},"responseStatus":{"metadata": {},"code":200},"responseObject":{"kind":"Endpoints", "apiVersion":"v1","metadata": {"name":"kubernetes","namespace":"default","selfLink":"/api/v1/ namespaces /default/endpoints/ kubernetes","uid":"1104e39a-46d2-4c35-92d2-5206dc6be4d2","resource Version":"156","creationTimestamp":"2019-10-21T13:18:48Z"},"subsets": [{"addresses":[{"ip":"192.0.2.0/24"}], "ports": [{"name":"https","port":6443,"protocol":"TCP"}]}]},"requestReceived Timestamp":"2019-10-21T14:37:53.788926Z","stageTimestamp": "2019-10-21T14:37:53.789945Z","annotations":{"authorization.k8s.io/ decision":"allow", "authorization.k8s.io/reason":""}}

Table 1: Kubernetes Auditing Sample Message Supported by the Kubernetes Auditing DSM

Event name

Low level category

Sample log message

Read the specified endpoints

Read Activity Succeeded

<133>Oct 21 10:37:55 test.example.com k8s-audit:
{"kind":"Event","apiVersion":
"audit.k8s.io/
v1","level":"RequestResponse","auditID":"d30b40b8-4f6a-4219-9828-
a7f732518541",
"stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/
endpoints/kubernetes",
"verb":"get","user":{"username":"system:apiserver","uid":"0f440c21-
a1c6-4ec3-84a4-50cd5dee2eb7",
"groups":["system:masters"]},"sourceIPs":["::1"],"userAgent":"kubeapiserver/
v1.15.2 (linux/amd64)
kubernetes/f627830","objectRef":
{"resource":"endpoints","namespace":"default","name":"kubernetes",
"apiVersion":"v1"},"responseStatus":{"metadata":
{},"code":200},"responseObject":{"kind":"Endpoints",
"apiVersion":"v1","metadata":
{"name":"kubernetes","namespace":"default","selfLink":"/api/v1/
namespaces
/default/endpoints/
kubernetes","uid":"1104e39a-46d2-4c35-92d2-5206dc6be4d2","resource
Version":"156","creationTimestamp":"2019-10-21T13:18:48Z"},"subsets":
[{"addresses":[{"ip":"192.0.2.0/24"}],
"ports":
[{"name":"https","port":6443,"protocol":"TCP"}]}]},"requestReceived
Timestamp":"2019-10-21T14:37:53.788926Z","stageTimestamp":
"2019-10-21T14:37:53.789945Z","annotations":{"authorization.k8s.io/
decision":"allow",
"authorization.k8s.io/reason":""}}