NissesSenap
commented
2 years ago I have started working on this feature.
Open NissesSenap opened 2 years ago
NissesSenap
commented
2 years ago I have started working on this feature.
jasondellaluce
commented
2 years ago While developing the current k8saudit plugin, I tried to design it so that it could be easy to develop integrations like this to fetch audit logs from managed k8s platforms. I'm excited to see the first one coming! 😄
Note that the whole k8saudit plugin is an importable Go struct. In your case, you probably just need to re-implement the open method and reuse all the extraction-related code: https://github.com/falcosecurity/plugins/blob/52e46f7e876381f1cf666c505d386cdaa48ab2cb/plugins/k8saudit/pkg/k8saudit/source.go#L56
Let me know if you'd some help or to work together in this!
jasondellaluce
commented
2 years ago @NissesSenap any news? There's a WIP EKS porting that you could use as inspiration https://github.com/falcosecurity/plugins/pull/134. It took few lines of code to adapt the k8saudit plugin to the new integration.
NissesSenap
commented
2 years ago @jasondellaluce sadly I haven't had time to look in to this. My guess I can take a look in a month or something similar, if any one else have time please go for it.
poiana
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
poiana
commented
1 year ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
jasondellaluce
commented
1 year ago /remove-lifecycle rotten
poiana
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
poiana
commented
1 year ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
poiana
commented
1 year ago Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
poiana
commented
1 year ago @poiana: Closing this issue.
jasondellaluce
commented
1 year ago /remove-lifecycle rotten
/reopen
poiana
commented
1 year ago @jasondellaluce: Reopened this issue.
poiana
commented
12 months ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
jasondellaluce
commented
12 months ago /remove-lifecycle stale
andreyolv
commented
11 months ago interesting feature
poiana
commented
8 months ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Andreagit97
commented
7 months ago /remove-lifecycle stale
poiana
commented
4 months ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
poiana
commented
3 months ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
poiana
commented
2 months ago Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
poiana
commented
2 months ago @poiana: Closing this issue.
Andreagit97
commented
2 months ago /remove-lifecycle rotten
/reopen
poiana
commented
2 months ago @Andreagit97: Reopened this issue.
Motivation
Just like in AWS I want to be able to monitor my k8s audit logs in Azure.
Feature
A implementation of reading k8s_aduit logs in AKS through Log Analytics Workspace.
Alternatives
AKS also supports sending logs directly to a storage account and a event hub
But to make the initial offering as similar to AWS I think starting with Log Analytics Workspace is a good idea.
Additional context
How to manage the Azure Diagnostic resources through terraform: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting