How to collect kube-api audit logs with rancher-logging for an RKE/RKE2/K3S cluster

Article Number: 000021022

Environment

RKE/RKE2/K3S

Situation

kube-api server audit logs are usually placed in a different directory than the one configured for rancher-logging when collecting

Cause

The kube-api server audit logs aren't collected by rancher-logging as they are placed outside of the directory parsed by the logging operator by default

Resolution

By configuring the following, you can enable the kube-api server audit logs collection from rancher-logging helm charts. The rancher-logging helm chart has it disabled by default:

RKE:

kubeAudit:
    auditFilename: 'audit-log.json'
    enabled: enabled
    fluentbit:
      logTag: kube-audit
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/controlplane
          value: 'true'
        - effect: NoExecute
          key: node-role.kubernetes.io/etcd
          value: 'true'
    pathPrefix: '/var/log/kube-audit'

RKE2:

kubeAudit:
    auditFilename: 'audit.log'
    enabled: enabled
    fluentbit:
      logTag: kube-audit
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/controlplane
          value: 'true'
        - effect: NoExecute
          key: node-role.kubernetes.io/etcd
          value: 'true'
    pathPrefix: '/var/lib/rancher/rke2/server/logs'

k3s:

kubeAudit:
    auditFilename: 'audit.log'
    enabled: enabled
    fluentbit:
      logTag: kube-audit
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/controlplane
          value: 'true'
        - effect: NoExecute
          key: node-role.kubernetes.io/etcd
          value: 'true'
    pathPrefix: '/var/lib/rancher/k3s/server/logs'