Auditing Log Query

KubeSphere supports the query of auditing logs among isolated tenants. This tutorial demonstrates how to use the query function, including the interface, search parameters and detail pages.

Prerequisites

You need to enable KubeSphere Auditing Logs.

Enter the Query Interface

  1. The query function is available for all users. Log in to the console with any account, hover over the in the lower-right corner and select Auditing Operating.

    Note

    Any account has the authorization to query auditing logs, while the logs each account is able to see are different.

    • If an account has the authorization of viewing resources in a project, it can see the auditing log that happens in this project, such as workload creation in the project.
    • If an account has the authorization of listing projects in a workspace, it can see the auditing log that happens in this workspace but not in projects, such as project creation in the workspace.
    • If an account has the authorization of listing projects in a cluster, it can see the auditing log that happens in this cluster but not in workspaces and projects, such as workspace creation in the cluster.
  2. In the pop-up window, you can view log trends in the last 12 hours.

    auditing-logs

  3. The Auditing Operating console supports the following query parameters:

    Parameter Description
    Cluster Cluster where the operation happens. It is enabled if the multi-cluster feature is turned on.
    Project Project where the operation happens. It supports exact query and fuzzy query.
    Workspace Workspace where the operation happens. It supports exact query and fuzzy query.
    Resource Type Type of resource associated with the request. It supports fuzzy query.
    Resource Name Name of the resource associated with the request. It supports fuzzy query.
    Verb Kubernetes verb associated with the request. For non-resource requests, this is the lower-case HTTP method. It supports exact query.
    Status Code HTTP response code. It supports exact query.
    Operation Account User who calls this request. It supports exact and fuzzy query.
    Source IP IP address from where the request originated and intermediate proxies. It supports fuzzy query.
    Time Range Time when the request reaches the apiserver.

    Note

    • Fuzzy query supports case-insensitive fuzzy matching and retrieval of full terms by the first half of a word or phrase based on Elasticsearch segmentation rules.
    • KubeSphere stores logs for the last seven days by default. You can modify the retention period in the ConfigMap elasticsearch-logging-curator.

Enter Query Parameters

  1. Select a filter and enter the keyword you want to search. For example, query auditing logs containing the information of services created as shown in the following screenshot:

    services-created

  2. You can click the results to see the auditing log details.

    auditing-log-details


Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.