Audit logs and keeping the user's identity

Question

Audit logs and keeping the user's identity

Smana opened this issue 3 years ago · 4 comments

Hey everyone,

I've seen that was possible to configure the proxy to store the audit logs locally, that's great because I just noticed that my audit logs in the cloud provider were not relevant as we see the serviceaccount as the user.
Well I know how to stream the logs from a file to Datadog but I have a question:
From my understanding the file will never be rotated, that means that we'll have an ever growing file stored locally, am I right ?
What would be the best way to stream the logs according to you please ?

Note that I already configured all our EKS,GKE clusters with a kube-oidc-proxy in front of the API servers.

Answer 1 · 2021-04-15T12:15:49.000Z

By the way I was wondering if that was possible to keep the user identity by forwarding headers ?

Answer 2 · 2021-04-15T15:36:57.000Z

Forget about my question regarding the file rotation, there are all the flags necessary :)

Answer 3 · 2021-04-15T15:54:58.000Z

I'm gonna try writing the logs to stdout and sending only relevant logs using pattern matching (only json of kind events)

Answer 4 · 2021-04-16T17:53:13.000Z

I managed to get the logs sent to datadog and filter properly.