Architecture for Audit logging versions 3.4.x-3.6.x
AA - Audit Agent
Following are the key components of the audit logging architecture:
- Audit container
- Journald (systemd journal)
- Fluentd
- Audit log events
- Audit logging format
- Deployment file modification
- Authentication and authorization audit logs
- Audit logging in your cluster
- Audit logging data statistics
- Audit logging integration with enterprise SIEM tools
Audit container
Audit container is a sidecar container. It tails the audit.log file and pipes it by using the system-cat command. It sends the audit logs to the systemd journal.
Every service that generates audit logs writes the logs to the /var/log/audit/<service_name>-audit.log file. A service container must share /var/log/audit with the audit container.
An emptyDir volume is used for sharing the directory /var/log/audit among the service containers to audit the sidecar container in a pod.
As the audit container must write to the systemd journal, it also needs to mount the host file system where the system journal exists.
Note: Audit logging sidecar containers use a UID. Only the following UIDs are supported:
- 1000
- 21000
- 55555
- 65534
- 65535
The Logrotate tool is used to monitor the logs in the /var/log/audit directory for size, rotate period, and other parameters, and to recycle the audit logs as specified in the configuration.
Adopters need to indicate to their customers that data in the sidecar container might include Sensitive Private Information (SPI) in the audit logs.
The audit container sidecar is used by audit logging adopters in their service offerings. The audit container sidecar is not included in the audit logging service. For more information about audit sidecar container deployment, see Deployment file modification.
Journald (systemd journal)
systemd is a service that runs on a node. Audit logs that are generated by your product services that run in pods that have audit sidecar container, are sent to systemd journal. The systemd journal stores the
data in binary format. Data can be only appended. After systemd journal receives the audit data, it is picked up by fluentd and then sent to Elasticsearch or SIEM.
Fluentd for Audit logging versions 3.4.0-3.6.0
Fluentd is a log collector that uses input and output plug-ins to collect data from multiple sources and to distribute or send data to multiple destinations.
With Audit logging, fluentd collects audit logs by using the following sources:
- Journald by using the
fluent-plugin-systemdinput plug-in (deprecated) - HTTP requests by using the
in_httpplug-in
Fluentd containers mount a host file system where the journal log data is stored. The default location is /run/log/journal.
Fluentd can be configured to send logs to an enterprise SIEM tool such as IBM QRadar.