Configuring Kubernetes Auditing to communicate with QRadar

To collect all events from Kubernetes Auditing, you must specify IBM QRadar as the syslog server.

Before you begin

A Kubernetes cluster must be running on your system. For more information, see Kubernetes documentation about Creating a single control-plane cluster with kubeadm (https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/).

Create a copy of the Kubernetes audit policy file. For more information, see Kubernetes documentation about Audit Policy (https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy).

If you are using the Container or the Kubernetes content extensions, you need the QRadar audit policy file. For more information about the Container content extension, see Container (https://www.ibm.com/docs/en/qradar-common?topic=extensions-container). For more information about the Kubernetes content extension, see Kubernetes (https://www.ibm.com/docs/en/qradar-common?topic=extensions-kubernetes).

Make sure that rsyslog is installed and running on your system. For more information, see the rsyslog documentation (https://www.rsyslog.com).

About this task

Procedure

  1. Use SSH to log in to your Kubernetes Auditing console.
  2. In the /etc/Kubernetes/maifests/kube-apiserver.yaml file, define the audit-policy-file and audit-log-path parameters.

apiVersion: v1kind: Podmetadata:  creationTimestamp: null  labels:    component: kube-apiserver    tier: control-plane  name: kube-apiserver  namespace: kube-systemspec:  containers:  - command:    - kube-apiserver    ...       - --audit-policy-file=/etc/kubernetes/audit-policy.yaml    - --audit-log-path=/var/log/apiserver/audit.log    ...

  1. Configure the rsyslog /etc/rsyslog.conf file to forward events that are logged in the audit.log file to QRadar.
    #### MODULES ####…$ModLoad imfile# ### begin forwarding rule ###$InputFileName /var/log/apiserver/audit.log$InputFileSeverity notice$InputFileFacility local0$InputRunFileMonitorlocal0.* @@QRADAR_EVENT_COLLECTOR_IP:514
    
  2. Restart rsyslog by typing the following command: service rsyslog restart.