Audit logging integration with enterprise SIEM tools

Learn how to configure your cluster to generate audit logs and route them to SIEM tools.

A Kubernetes-based private cloud is available to be deployed and managed by a client within their enterprise. Application developers can transform their enterprise applications to use cloud capabilities such as elasticity and microservices architecture. Enterprise security, compliance, and risk teams can implement various security controls to comply with enterprise security and compliance policies to meet internal and external audit and regulatory requirements.

One of the security controls that needs to meet such requirements is audit logging. Specifically, configured to generate audit logs. These audit logs must be routed to the client’s existing enterprise SIEM tool where the client security operations center can handle security incident management and data retention controls. This information outlines the configuration that is needed to generate various audit logs and how these logs can be routed to a client's SIEM by using IBM QRadar as an example.

Sample audit log

    "typeURI": "",
    "eventType": "activity",
    "id": "icp:f14704b0-a9dd-11e8-817b-89bcae80625c",
    "action": "read",
    "requestPath": "/identity/api/v1/directory/ldap/56027bb0-a9dd-11e8-9573-0b442b44e932/fetchUsergroups?searchString=%2Ac%2A",
    "initiator": {
        "typeURI": "service/security/account/user",
        "name": "admin",
        "credential": {
            "type": "token"
        "host": {
            "address": "icp-management-ingress:8443"
    "target": {
        "id": "6917371c373f3eb2098a9d7bcd5026052a1c665721a80596c74295ddd9f39ee9\n",
        "name": "platform-identity-management",
        "typeURI": "service/storage/directory"
    "observer": {
        "id": "target"
    "severity": "normal",
    "outcome": "success",
    "reason": {
        "reasonType": "HTTP",
        "reasonCode": 200
    "eventTime": "2018-08-27T09:45:33.563Z",
    "kubernetes.container_id": "6917371c373f3eb2098a9d7bcd5026052a1c665721a80596c74295ddd9f39ee9\n",
    "kubernetes.container_name": "platform-identity-management",
    "kubernetes.pod": "auth-idp-vfmzh",
    "kubernetes.namespace": "kube-system",
    "origination": "cli",
    "version": "v1.0"