title: “Read Kubernetes or Openshift Audit Logs, flag it and send it to ELS”
date: 2020-11-27T08:35:23
slug: read-kubernetes-or-openshift-audir-logs-flag-it-and-send-it-to-els

# Openshift audit logs

 @type tail
 @id openshift-audit-input
 path /var/log/oauth-apiserver/audit.log,/var/log/openshift-apiserver/audit.log
 pos\_file /tmp/audit.log.pos
 tag openshift-audit.log

 @type json
 time\_key requestReceivedTimestamp
 keep\_time\_key true
 time\_format %Y-%m-%dT%H:%M:%S.%N%z


 @type copy

 @type elasticsearch
# @id default
 @log\_level "info"
 include\_tag\_key true
 host "opendistro"
 port 9200
 scheme https
 ssl\_verify false
 ssl\_version TLSv1\_2
 client\_cert /etc/fluent/cert/cert\_pem
 client\_key /etc/fluent/cert/cert\_key
 client\_cert\_auth true
 reload\_connections false
 reconnect\_on\_error true
 reload\_on\_failure true
 log\_es\_400\_reason false
 logstash\_prefix "audit-openshift"
 logstash\_format true
 index\_name "audit-openshift"
 type\_name "fluentd"

 flush\_thread\_count 1
 flush\_interval 5s
 chunk\_limit\_size 2M
 queue\_limit\_length 4
 retry\_max\_interval 30
 retry\_forever true