Configuring Kubernetes Auditing to communicate with QRadar
To collect all events from Kubernetes Auditing, you must specify IBM QRadar as the syslog server.
Before you begin
A Kubernetes cluster must be running on your system. For more information, see Kubernetes documentation about Creating a single control-plane cluster with kubeadm (https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/).
Create a copy of the Kubernetes audit policy file. For more information, see Kubernetes documentation about Audit Policy (https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy).
If you are using the Container or the Kubernetes content extensions, you need the QRadar audit policy file. For more information about the Container content extension, see Container (https://www.ibm.com/docs/en/qradar-common?topic=extensions-container). For more information about the Kubernetes content extension, see Kubernetes (https://www.ibm.com/docs/en/qradar-common?topic=extensions-kubernetes).
Make sure that rsyslog is installed and running on your system. For more information, see the rsyslog documentation (https://www.rsyslog.com).
About this task
Procedure
apiVersion: v1kind: Podmetadata: creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-systemspec: containers: - command: - kube-apiserver ... - --audit-policy-file=/etc/kubernetes/audit-policy.yaml - --audit-log-path=/var/log/apiserver/audit.log ...