Physical servers (SERV)

Workload location

Organization only workloads
Audit log source

  • Physical servers
  • Server custom resources
Audited operations

Machine events

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity gdch_service_name

For example,

"_gdch_service_name": "bm_nodes"

Target

(Fields and values that call the API)

 description

"description": "The overall security state of the system is at \"Risk\"

Action

(Fields containing the performed operation)

 description

"description": "The overall security state of the system is at \"Risk\"

Event timestamp time

For example,

"time": "2022-12-02T16:06:29Z"

Source of action resource

For example,

"resource": "zb-ab-bm07"

Outcome Not applicable Not applicable
Other fields Not applicable Not applicable

Example log


{
  "description": "The overall security state of the system is at \"Risk\".",
  "_gdch_service_name": "bm_nodes",
  "resource": "zb-ab-bm07",
  "auditID": "IEL#32321",
  "user": {},
  "time": "2022-12-02T16:06:29Z",
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-5k8l2"
}

Data changes (CRUD operations)

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity username

For example,

"user":{
 "username":"system:serviceaccount:
 gpc-system:root-admin-controller-sa"
  }

Target

(Fields and values that call the API)

 requestURI

"requestURI":"/apis/system.private.gdc.goog/v1alpha1/ namespaces/gpc-system/servers/zb-aa-bm07/status"

Action

(Fields containing the performed operation)

 verb

"verb":"patch"

Event timestamp requestReceivedTimestamp

For example,

"requestReceivedTimestamp":"2022-12-02T23:52:22.509246Z"

Source of action sourceIPs

For example,

"sourceIPs":["10.251.127.4"]
Outcome responseStatus

For example,

"responseStatus":{"metadata":{},"code":200}
Other fields
  • annotations
  • objectRef

For example,

 "objectRef":{
"resource":"servers",
"apiGroup":
"system.private.gdc.goog",
"name":"zb-aa-bm07",
"apiVersion":"v1alpha1",
"namespace":"gpc-system",
"subresource":"status"
    }

Example log

{
"user":{
"groups":["system:serviceaccounts","system:serviceaccounts:gpc-system"
"system:authenticated"]
"extra":{"authentication.kubernetes.io/pod-uid":["8a33590d-bbf2-4a23-b5de-851a451fac32"],
"authentication.kubernetes.io/pod-name":["root-admin-controller-5c5d44f45-2r5d4"]
},
"username":"system:serviceaccount:gpc-system:root-admin-controller-sa",
"uid":"ecaee5a1-f7e0-47e7-ae46-1cbd42fb2e99"
},
"requestURI":"/apis/system.private.gdc.goog/v1alpha1/namespaces/gpc-system/servers/zb-aa-bm07/status",
"sourceIPs":["10.251.127.4"],
"verb":"patch",
"userAgent":"root-admin-cm/v0.0.0 (linux/amd64) kubernetes/$Format",
"requestReceivedTimestamp":"2022-12-02T23:52:22.509246Z",
"stageTimestamp":"2022-12-02T23:52:22.527613Z",
"_gdch_cluster":"root-admin",
"responseStatus":{"metadata":{},"code":200},
"annotations":{
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \
"root-admin-rootadmin-controllers-rolebinding\" of ClusterRole \
"root-admin-rootadmin-controllers-role\" to ServiceAccount \
"root-admin-controller-sa/gpc-system\"","authorization.k8s.io/decision":"allow"
},
"objectRef":{
"resource":"servers",
"apiGroup":
"system.private.gdc.goog",
"name":"zb-aa-bm07",
"apiVersion":"v1alpha1",
"namespace":"gpc-system",
"subresource":"status"
},
"gdch_fluentbit_pod":"anthos-audit-logs-forwarder-kp68x",
"kind":"Event",
"apiVersion":"audit.k8s.io/v1",
"stage":"ResponseComplete",
"level":"Metadata",
"auditID":"2b2b0ec8-627b-4f69-aa19-b6ba2c3e20cb",
"_gdch_service_name":"apiserver"
}