This documentation is for the most recent version of Anthos clusters on Azure, released on August 4. See the Release notes for more information.

Cloud Audit Logs

Overview

Anthos clusters on Azure supports audit logging at both the Cloud API and Kubernetes cluster level. This document provides information about Kubernetes cluster audit logging. For information about Cloud API audit logging, see Cloud API audit logging information.

Anthos clusters on Azure makes use of Kubernetes Audit Logging, which keeps a chronological record of calls made to a cluster's Kubernetes API server. Audit logs are useful for investigating suspicious API requests and for collecting statistics.

In cluster versions 1.23 and higher, Anthos clusters on Azure writes Cloud Audit Logs in a Google Cloud project by default. Writing to Cloud Audit Logs has the following benefits:

  • Audit logs for all Anthos clusters can be centralized.
  • Log entries written to Cloud Audit Logs are immutable.
  • Cloud Audit Logs entries are retained for 400 days.
  • Cloud Audit Logs is included in the price of Anthos.

Limitations

The current version of Cloud Audit Logs for Anthos clusters on Azure has several limitations:

  • Data access (get, list, watch requests) logging is not supported.

  • Modifying the Kubernetes audit policy is not supported.

  • Cloud Audit Logs is not resilient to extended network outages. If the log entries cannot be exported to Google Cloud, they are cached in a 10G disk buffer. If that buffer fills, then subsequent entries are dropped.

Audit policy

Cloud Audit Logs behavior is determined by a statically-configured Kubernetes audit logging policy. Changing this policy is currently not supported, but will be available in a future release.

Access Cloud Audit Logs

You can access Cloud Audit Logs in the Google Cloud console or with the Google Cloud CLI.

Console

  1. In the console, go to the Logs Explorer page in the Logging menu.

    Go to the Logs page

  2. Click the Show query toggle.

  3. Fill the text box with the following filter:

    resource.type="k8s_cluster"
    logName="projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity"
    protoPayload.serviceName="gkemulticloud.googleapis.com"
    

    The screen looks like the following:

    Logs Explorer with "Show query" toggled and populated query

  4. Click Run query to display all audit logs from Anthos clusters on Azure clusters that were configured to log in to this project.

gcloud

List the first two log entries in your project's Admin Activity log that apply to the k8s_cluster resource type:

gcloud logging read \
    'logName="projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity" \
    AND resource.type="k8s_cluster" \
    AND protoPayload.serviceName="gkemulticloud.googleapis.com" ' \
    --limit 2 \
    --freshness 300d

where PROJECT_ID is your project ID.

The output shows two log entries. Notice that for each log entry, the logName field has the value projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity and protoPayload.serviceName is equal to gkemulticloud.googleapis.com.