Alcide kAudit is a security service for monitoring Kubernetes audit logs, and easily identifying abnormal administrative activity and compromised Kubernetes resources.
You can review Alcide kAudit findings in your Logz.io security account, including a pre-configured Alcide dashboard in Logz.io to get you started.
Configuration
You can configure an Alcide kAudit integration that uses the Logz.io HTTPS API. The integration can be configured from the kAudit app or kAudit Kubernetes ConfigMap.
Each finding type requires a separate configuration. If you plan to send all kAudit data to Logz.io, you will need to configure 3 HTTPS API integrations, one per finding type.
For more information on exporting kAudit findings, see the official Alcide docs.
Before you begin, you’ll need:
- Access to Alcide kAudit platform
- A shipping token and listener host information for your Logz.io Operations account
Configure an Alcide kAudit integration for detections
First, log into your Alcide kAudit console.
- Select Integrations from the left menu.
- Select Add New Integration and select the HTTPS API integration from the dropdown menu.
- Fill in the new integration form:
- Name - Provide a name for the new HTTPS API integration. For example: Logz.io.
-
URL - Paste the Logz.io webhook URL. Replace
<<LISTENER-HOST>>
with the host for your region. For example,listener.logz.io
if your account is hosted on AWS US East, orlistener-nl.logz.io
if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.https://<<LISTENER-HOST>>:8071
-
Token - Paste in the log shipping token of the account you want to ship to.
-
Alert type - Select Detections from the dropdown list.
Select all available sub-selections:
- Entity Type - select all types: Cluster, User, Resource
- Category - select all categories: Incident and Anomaly
Configure an Alcide kAudit integration for audit violations
Repeat the above steps, only this time select Alert type - Audit Violations.
In the field Report, select the Details option. Leave all other default configurations.
Configure an Alcide kAudit integration for audit activity
Repeat the above steps, only this time select Alert type - Audit Activity.
Leave the default configurations. No sub-selections are required.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can search or filter for Alcide logs, under type:alcide-kaudit
.
If you still don’t see your logs, see log shipping troubleshooting.