We are collecting logs from some Kubernetes cluster running on AWS EKS and since the Kubernetes integration does not support collecting logs from managed service, we were able to collect these logs using Cloudwatch and using a reroute processor we are able to parse it and store in the logs-kubernetes.audit_logs-NAMESPACE data stream, this way we can use the correct mapping for the kubernetes audit logs fields.
We just noticed that some audit logs does not have the correct mapping in the kubernetes template.
The objects kubernetes.audit.requestObject.webhooks and kubernetes.audit.responseObject.webhooks have no mapping in the component template.
Example of the fields for kubernetes.audit.requestObject.webhooks
Example of the fields for kubernetes.audit.responseObject.webhooks
There is also no mapping for kubernetes.audit.responseObject.apiVersion, kubernetes.audit.requestObject.apiVersion, kubernetes.audit.requestObject.kind and kubernetes.audit.responseObject.kind
It seems that there are other nested fields under kubernetes.audit.responseObject and kubernetes.audit.requestObject that also does not have any mappings in the Kubernetes Integration.
Hello,
We are collecting logs from some Kubernetes cluster running on AWS EKS and since the Kubernetes integration does not support collecting logs from managed service, we were able to collect these logs using Cloudwatch and using a
reroute
processor we are able to parse it and store in thelogs-kubernetes.audit_logs-NAMESPACE
data stream, this way we can use the correct mapping for the kubernetes audit logs fields.We just noticed that some audit logs does not have the correct mapping in the kubernetes template.
The objects
kubernetes.audit.requestObject.webhooks
andkubernetes.audit.responseObject.webhooks
have no mapping in the component template.Example of the fields for
kubernetes.audit.requestObject.webhooks
Example of the fields for
kubernetes.audit.responseObject.webhooks
There is also no mapping for
kubernetes.audit.responseObject.apiVersion
,kubernetes.audit.requestObject.apiVersion
,kubernetes.audit.requestObject.kind
andkubernetes.audit.responseObject.kind