Auditing Log Query

KubeSphere supports the query of auditing logs among isolated tenants. This tutorial demonstrates how to use the query function, including the interface, search parameters and detail pages.

Prerequisites

You need to enable KubeSphere Auditing Logs.

Enter the Query Interface

  1. The query function is available for all users. Log in to the console with any user, hover over the in the lower-right corner and select Audit Log Search.

    Note

    Any user has the permission to query auditing logs, while the logs that each user is able to see are different.

    • If a user has the permission to view resources in a project, it can see the auditing log that happens in this project, such as workload creation in the project.
    • If a user has the permission to list projects in a workspace, it can see the auditing log that happens in this workspace but not in projects, such as project creation in the workspace.
    • If a user has the permission to list projects in a cluster, it can see the auditing log that happens in this cluster but not in workspaces and projects, such as workspace creation in the cluster.
  2. In the pop-up window, you can view log trends in the last 12 hours.

  3. The Audit Log Search console supports the following query parameters:

    ParameterDescription
    ClusterCluster where the operation happens. It is enabled if the multi-cluster feature is turned on.
    ProjectProject where the operation happens. It supports exact query and fuzzy query.
    WorkspaceWorkspace where the operation happens. It supports exact query and fuzzy query.
    Resource TypeType of resource associated with the request. It supports fuzzy query.
    Resource NameName of the resource associated with the request. It supports fuzzy query.
    VerbKubernetes verb associated with the request. For non-resource requests, this is the lower-case HTTP method. It supports exact query.
    Status CodeHTTP response code. It supports exact query.
    Operation AccountUser who calls this request. It supports exact and fuzzy query.
    Source IPIP address from where the request originated and intermediate proxies. It supports fuzzy query.
    Time RangeTime when the request reaches the apiserver.

    Note

    • Fuzzy query supports case-insensitive fuzzy matching and retrieval of full terms by the first half of a word or phrase based on Elasticsearch segmentation rules.
    • KubeSphere stores logs for the last seven days by default. You can modify the retention period in the ConfigMap elasticsearch-logging-curator.

Enter Query Parameters

  1. Select a filter and enter the keyword you want to search. For example, query auditing logs containing the information of services created.

  2. You can click the results to see the auditing log details.

Receive the latest news, articles and updates from KubeSphere


Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.