User Guide
Audit Log Guide
Overview
Audit logs are collected from different sources including k8s clusters and other servers in the Global Controller. For the activities that are collected from k8s clusters, only the activities that are conducted via CloudNatix's session-manager and that modify the cluster status (e.g POST/PUT/PATCH) are collected. In other words, read-only activities are ignored.
Audit logs can be helpful for security, compliance, and troubleshooting.
Attributes
Each audit log has several attributes, including who executed the activity, when and where the activity was executed, the type of activity, and the associated k8s workloads of the activity if applicable.
| Action | String | The action type of the activity. For HTTP requests, it is method type, e.g. POST, PUT, DELETE, etc. |
|---|---|---|
| Client IP Address | String | The IP address of the subject |
| Data Source | String | The cluster name of the that activity was executed |
| Event Type Name | String | The event type is named based on the action of the activity, such as create, delete, scale, portforward, etc. |
| Event Type Result | Bool | Whether the activity was executed successfully or failed |
| Response Code | Int32 | The response code from HTTP response |
| Source | Enumeration | The agent that recorded the activity |
| Subject | String | Who executed the activity, i.e. user ID. |
| Target | String | The namespace and resource name of the k8s target |
| Target Type | Enumeration | The target type can be "Kubernetes Resource", "User", "Cluster", etc. |
| Timestamp | Timestamp | When the activity was executed |
| UUID | String | The unique identifier of the activity |
Depending on the type of activities, there are some additional attributes. For example, additional attributes for the activities of Kubernetes Resources are:
| Cluster Name | String | The cluster name where the activity is executed |
|---|---|---|
| Cluster UUID | String | The cluster UUID where the activity is executed |
| Host | String | The domain name of the HTTP request |
| URL | String | The URL of the HTTP request |
| Operation | String | The type of operation for applicable k8s activities, e.g. exec, scale, portforwarding. |
| K8S Resource Kind | String | The Kind of k8s resources, e.g. Pod, Deployment |
| K8S Resource UID | String | The UID of the k8s resource |
| K8S Resource Name | String | The name of the k8s resource |
| Top-level workload name | String | The name of the associated top-level workload |
| Top-level workload UID | String | The UID of the associated top-level workload |
| Org UUID | String | The UUID of the org who owns the k8s resource or the cluster |
| Org Name | String | The name of the org who owns the k8s resource or the cluster |
| Namespace | String | The namespace the k8s resource belongs to |
| API Group | String | The API group of the HTTP request |
| API Version | String | The API version of the HTTP request |
Functions
- Search
The audit logs can be searched by certain attributes, including Subject, Action, Client IP, Data Source, Event Type, Org UUID, Response Code, Source, Target, Target Type, and Timestamp.
- Sort
The audit logs can be sorted by certain attributes, including Subject, Timestamp, Data Source, and Target, and in either ascending or descending order.