To enable audit log collection in your Kubernetes clusters, complete the following
steps.
-
Select Kubernetes audit log collection when you create a cluster in TrendAI Vision One™ (Protect Amazon EKS clusters (with and without Fargate), Protect Microsoft AKS clusters, Protect Google GKE clusters etc).
-
Deploy Helm chart and the
overrides.yamlfile that is generated when you complete step 1. -
Manually enable the Kubernetes audit log feature at the cluster level (Enable audit log collection for self-managed clusters and Enable audit log collection for managed clusters). This allows the Container Security pod to receive and process logs from Kubernetes.
Note
The method for enabling audit logging varies depending on your specific Kubernetes distribution. Refer to the individual log collection steps to enable audit logging in your environment.
Audit collector endpoint
The following table describes the available connection methods for the TrendAI Vision One™ audit log collector endpoint.
|
Connection Method
|
Endpoint
|
|
Via Service
|
http://trendmicro-audit-log-collector.trendmicro-system.svc:8030/k8s-audit |
|
Via Host Network
|
http://127.0.0.1:8030/k8s-audit |
|
NoteUse the Host Network endpoint if the
kube-apiserver cannot reach cluster services (common in k3s, k0s, RKE1, RKE2). |