Audit logs are collected from different sources including k8s clusters and other servers in the Global Controller. For the activities that are collected from k8s clusters, only the activities that are conducted via CloudNatix's session-manager and that modify the cluster status (e.g POST/PUT/PATCH) are collected. In other words, read-only activities are ignored.
Audit logs can be helpful for security, compliance, and troubleshooting.
Each audit log has several attributes, including who executed the activity, when and where the activity was executed, the type of activity, and the associated k8s workloads of the activity if applicable.
|The action type of the activity. For HTTP requests, it is method type, e.g. POST, PUT, DELETE, etc.
|Client IP Address
|The IP address of the subject
|The cluster name of the that activity was executed
|Event Type Name
|The event type is named based on the action of the activity, such as create, delete, scale, portforward, etc.
|Event Type Result
|Whether the activity was executed successfully or failed
|The response code from HTTP response
|The agent that recorded the activity
|Who executed the activity, i.e. user ID.
|The namespace and resource name of the k8s target
|The target type can be "Kubernetes Resource", "User", "Cluster", etc.
|When the activity was executed
|The unique identifier of the activity
Depending on the type of activities, there are some additional attributes. For example, additional attributes for the activities of Kubernetes Resources are:
|The cluster name where the activity is executed
|The cluster UUID where the activity is executed
|The domain name of the HTTP request
|The URL of the HTTP request
|The type of operation for applicable k8s activities, e.g. exec, scale, portforwarding.
|K8S Resource Kind
|The Kind of k8s resources, e.g. Pod, Deployment
|K8S Resource UID
|The UID of the k8s resource
|K8S Resource Name
|The name of the k8s resource
|Top-level workload name
|The name of the associated top-level workload
|Top-level workload UID
|The UID of the associated top-level workload
|The UUID of the org who owns the k8s resource or the cluster
|The name of the org who owns the k8s resource or the cluster
|The namespace the k8s resource belongs to
|The API group of the HTTP request
|The API version of the HTTP request
The audit logs can be searched by certain attributes, including Subject, Action, Client IP, Data Source, Event Type, Org UUID, Response Code, Source, Target, Target Type, and Timestamp.
The audit logs can be sorted by certain attributes, including Subject, Timestamp, Data Source, and Target, and in either ascending or descending order.