Cloud Audit Logs
Anthos clusters on Azure supports audit logging at both the Cloud API and Kubernetes cluster level. This document provides information about Kubernetes cluster audit logging. For information about Cloud API audit logging, see Cloud API audit logging information.
Anthos clusters on Azure makes use of Kubernetes Audit Logging, which keeps a chronological record of calls made to a cluster's Kubernetes API server. Audit logs are useful for investigating suspicious API requests and for collecting statistics.
In cluster versions 1.23 and higher, Anthos clusters on Azure writes Cloud Audit Logs in a Google Cloud project by default. Writing to Cloud Audit Logs has the following benefits:
- Audit logs for all Anthos clusters can be centralized.
- Log entries written to Cloud Audit Logs are immutable.
- Cloud Audit Logs entries are retained for 400 days.
- Cloud Audit Logs is included in the price of Anthos.
The current version of Cloud Audit Logs for Anthos clusters on Azure has several limitations:
Data access (get, list, watch requests) logging is not supported.
Modifying the Kubernetes audit policy is not supported.
Cloud Audit Logs is not resilient to extended network outages. If the log entries cannot be exported to Google Cloud, they are cached in a 10G disk buffer. If that buffer fills, then subsequent entries are dropped.
Cloud Audit Logs behavior is determined by a statically-configured Kubernetes audit logging policy. Changing this policy is currently not supported, but will be available in a future release.
Access Cloud Audit Logs
You can access Cloud Audit Logs in the Google Cloud console or with the Google Cloud CLI.
In the Google Cloud console, go to the Logs Explorer page in the Logging menu.
Click the toggle_off Show query toggle.
Fill the text box with the following filter:
The screen looks like the following:
Click Run query to display all audit logs from Anthos clusters on Azure clusters that were configured to log in to this project.
List the first two log entries in your project's Admin Activity log that
apply to the
k8s_cluster resource type:
gcloud logging read \ 'logName="projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity" AND resource.type="k8s_cluster" ' \ --limit 2 \ --freshness 300d
where PROJECT_ID is your project ID.
The output shows two log entries. Notice that for each log entry, the
logName field has the value
protoPayload.serviceName is equal to