Amazon AWS Elastic Kubernetes Service sample event messages
Use these sample event messages to verify a successful integration with QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Amazon AWS Elastic Kubernetes Service sample message when you use the Amazon Web Services protocol
Sample 1: The following sample event message shows that a watch role changed to an object of kind role.
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"8716c01c-7a52-4100-8e97-1b9640c72a2f","stage":"ResponseComplete","requestURI":"/apis/rbac.authorization.k8s.io/v1/roles?allowWatchBookmarks=true&resourceVersion=1575982&timeout=6m33s&timeoutSeconds=393&watch=true","verb":"watch","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["10.0.46.47"],"userAgent":"kube-controller-manager/v1.18.9 (linux/amd64) kubernetes/d1db3c4/shared-informers","objectRef":{"resource":"roles","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","message":"Connection closed early","code":200},"requestReceivedTimestamp":"2021-03-29T19:15:03.945243Z","stageTimestamp":"2021-03-29T19:21:36.945705Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | Watch |
| Event Category | roles |
| Source IP | 10.0.46.47 |
| Username | system:kube-controller-manager |
| Device Time | 2021-03-29T19:21:36.945705Z |
Sample 2: The following sample event shows that the specified lease is replaced.
{LogStreamName: kube-apiserver-audit-e5c612db6e0f317f383ed50f22c28423,Timestamp: 1616696002054,Message: {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"e4b88806-2ebf-45b7-8e92-998a33fb0689","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager?timeout=10s","verb":"update","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["10.0.184.90"],"userAgent":"kube-controller-manager/v1.18.9 (linux/amd64) kubernetes/d1db3c4/leader-election","objectRef":{"resource":"leases","namespace":"kube-system","name":"kube-controller-manager","uid":"a047cca1-2cda-4e10-9f5c-205de4effe90","apiGroup":"coordination.k8s.io","apiVersion":"v1","resourceVersion":"36409"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-25T18:13:21.066654Z","stageTimestamp":"2021-03-25T18:13:21.071075Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}},IngestionTime: 1616696007143,EventId: 36053525605289394950164595066735255382191488289159053312}| QRadar field name | Highlighted values in the payload |
|---|---|
| Event ID | update |
| Event Category | leases |
| Source IP | 10.0.184.90 |
| Username | system:kube-controller-manager |
| Device Time | 2021-03-25T18:13:21.071075Z |