Kubernetes Auditing

The IBM® QRadar® DSM for Kubernetes collects auditing events from a Kubernetes master node Kube-apiserver.

To integrate Kubernetes with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM support website (http://www.ibm.com/support). Download and install the most recent version of the following RPMs on your QRadar Console:
    • DSM Common RPM
    • Kubernetes Auditing DSM RPM
  2. Configure your Kubernetes master node Kube-apiserver to send events to QRadar.
  3. Create a copy of the audit policy file. For more information, see Kubernetes documentation about Audit Policy (https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy).
  4. Configure rsyslog on your Kubernetes master hosted Linux® system. For more information about configuring rsyslog, see Configuring rsyslog on a logging server (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-viewing_and_managing_log_files#s1-configuring_rsyslog_on_a_logging_server).
  5. If QRadar does not automatically detect the log source, add a Kubernetes Auditing log source on the QRadar Console.
Note: The Kubernetes auditing event payload can be over 32,000 bytes. The default QRadar syslog payload length is 4,096 bytes. You can increase the QRadar syslog payload size to 32,000 bytes. For more information about increasing the QRadar maximum payload size, see QRadar: TCP Syslog Maximum Payload Message Length for QRadar Appliances (https://www.ibm.com/support/pages/qradar-tcp-syslog-maximum-payload-message-length-qradar-appliances).

If Kubernetes audit events are larger than 32,000 bytes, the events are truncated by QRadar. To keep the events from being truncated, tune your Kubernetes audit polity to return less data.