Architecture for Audit logging versions 3.4.x-3.6.x
AA - Audit Agent
Following are the key components of the audit logging architecture:
- Audit container
- Journald (systemd journal)
- Fluentd
- Audit log events
- Audit logging format
- Deployment file modification
- Authentication and authorization audit logs
- Audit logging in your cluster
- Audit logging data statistics
- Audit logging integration with enterprise SIEM tools
Audit container
Audit container is a sidecar container. It tails the audit.log
file and pipes it by using the system-cat
command. It sends the audit logs to the systemd
journal.
Every service that generates audit logs writes the logs to the /var/log/audit/<service_name>-audit.log
file. A service container must share /var/log/audit
with the audit container.
An emptyDir
volume is used for sharing the directory /var/log/audit
among the service containers to audit the sidecar container in a pod.
As the audit container must write to the systemd
journal, it also needs to mount the host file system where the system journal exists.
Note: Audit logging sidecar containers use a UID. Only the following UIDs are supported:
- 1000
- 21000
- 55555
- 65534
- 65535
The Logrotate tool is used to monitor the logs in the /var/log/audit
directory for size, rotate period, and other parameters, and to recycle the audit logs as specified in the configuration.
Adopters need to indicate to their customers that data in the sidecar container might include Sensitive Private Information (SPI) in the audit logs.
The audit container sidecar is used by audit logging adopters in their service offerings. The audit container sidecar is not included in the audit logging service. For more information about audit sidecar container deployment, see Deployment file modification.
Journald (systemd journal)
systemd
is a service that runs on a node. Audit logs that are generated by your product services that run in pods that have audit sidecar container, are sent to systemd
journal. The systemd
journal stores the
data in binary format. Data can be only appended. After systemd
journal receives the audit data, it is picked up by fluentd
and then sent to Elasticsearch or SIEM.
Fluentd for Audit logging versions 3.4.0-3.6.0
Fluentd is a log collector that uses input and output plug-ins to collect data from multiple sources and to distribute or send data to multiple destinations.
With Audit logging, fluentd collects audit logs by using the following sources:
- Journald by using the
fluent-plugin-systemd
input plug-in (deprecated) - HTTP requests by using the
in_http
plug-in
Fluentd containers mount a host file system where the journal log data is stored. The default location is /run/log/journal
.
Fluentd can be configured to send logs to an enterprise SIEM tool such as IBM QRadar.