Audit Logging

This topic describes audit logging in Tanzu Kubernetes Grid 2.

Overview

In Tanzu Kubernetes Grid, you can access the following audit logs:

Kubernetes Audit Logs

Kubernetes audit logs record requests to the Kubernetes API server. Audit logs are enabled by default for the Supervisor and the workload clusters that it deploys.

By default, audit log entries for a cluster are written to the following locations on its control plane nodes:

  • Supervisor: /var/log/vmware/audit/kube-apiserver.log
  • Workload cluster: /var/log/kubernetes/kube-apiserver.log

You can see the complete audit log configuration, including the --audit-log-path setting above, in the control plane nodes’ /etc/kubernetes/manifest/kube-apiserver.yaml file, which contains its Kube API server settings. For example:

  • Supervisor:

    - kube-apiserver
    [...]
    - --audit-log-maxage=30
    - --audit-log-maxbackup=10
    - --audit-log-maxsize=100
    - --audit-log-path=/var/log/vmware/audit/kube-apiserver.log
    - --audit-policy-file=/etc/vmware/wcp/audit-policy.yaml
    
  • Workload cluster:

    - kube-apiserver
    [...]
    - --audit-log-maxage=30
    - --audit-log-maxbackup=10
    - --audit-log-maxsize=100
    - --audit-log-path=/var/log/kubernetes/kube-apiserver.log
    - --audit-policy-file=/etc/kubernetes/extra-config/audit-policy.yaml
    

If you deploy Fluent Bit on the cluster, it will forward the logs to your log destination. For instructions, see Install Fluent Bit for Log Forwarding.

System Audit Logs for Nodes

When you deploy a workload cluster, auditd is enabled on the cluster by default. You can access your system audit logs on each node in the cluster by navigating to /var/log/audit/audit.log.

If you deploy Fluent Bit on the cluster, it will forward these audit logs to your log destination. For instructions, see Install Fluent Bit for Log Forwarding.

check-circle-line exclamation-circle-line close-line
Scroll to top icon