A Kubernetes cluster must be running on your
system.
Create a copy of the Kubernetes audit policy file.
If you are using the Container or the Kubernetes content extensions,
you need the JSA audit policy file.
Make sure that rsyslog is installed and running on your system.
To collect all events from Kubernetes Auditing, you must specify JSA as the syslog server.
- Use SSH to log in to your Kubernetes Auditing console.
- In the /etc/Kubernetes/maifests/kube-apiserver.yaml file, define the audit-policyfile and audit-log-path parameters.
apiVersion: v1kind: Podmetadata: creationTimestamp: null labels: component: kubeapiserver
tier: control-plane name: kube-apiserver namespace: kube-systemspec:
containers: - command: - kube-apiserver ... - --audit-policy-file=/etc/kubernetes/
audit-policy.yaml - --audit-log-path=/var/log/apiserver/audit.log ...
- Configure the rsyslog /etc/rsyslog.conf file to forward events that are logged in the
audit.log
file to JSA.#### MODULES ####…$ModLoad imfile# ### begin forwarding rule ###$InputFileName /var/log/
apiserver/audit.log$InputFileSeverity notice$InputFileFacility
local0$InputRunFileMonitorlocal0.* @@QRADAR_EVENT_COLLECTOR_IP:514
- Restart rsyslog by typing the following command: