search

fluent / fluentd-kubernetes-daemonset

Fluentd daemonset for Kubernetes and it Docker image
Apache License 2.0
1.26k stars 980 forks source link

Support for Kubernetes audit logs json format #519

Open hmalinov opened 3 years ago

hmalinov commented 3 years ago

The Kubernetes audit logs support two formats:

--audit-log-format string     Default: "json"
  | Format of saved audits. "legacy" indicates 1-line text format for each event. "json" indicates structured json format. Known formats are legacy,json.

The default format these days is json. However the parsing defined in kubernetes.conf is for legacy format. Could you please add or replace the current parsing with a json one like below ?

<source>
  @type tail
  @id in_tail_kube_apiserver_audit
  multiline_flush_interval 5s
  path /var/log/kubernetes/kube-apiserver-audit.log
  pos_file /var/log/kube-apiserver-audit.log.pos
  tag kube-apiserver-audit
  <parse>
    @type json
    keep_time_key true
    time_key timestamp
    time_format %Y-%m-%dT%T.%L%Z
  </parse>
</source>
GerkinDev commented 3 years ago

Bump. It's quite boring to have to edit kube-apiserver flags from manifests.

github-actions[bot] commented 3 years ago

This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days

GerkinDev commented 3 years ago

Bump. Could something be done about #534 addressing this need?

willianmga commented 5 months ago

just checking if a solution for this has been released?

still getting [in_tail_kube_apiserver_audit] got incomplete line before first line from /var/log/kubernetes/kube-apiserver-audit.log when fluentd reads audit logs