audit-logs
| Version | 1.84.1 (View all) |
| Subscription level What's this? | Basic |
| Ingestion method(s) | API, AWS CloudWatch, Azure Event Hub, File, GCP Pub/Sub |
| Minimum Kibana version(s) | 9.3.0 9.2.4 9.1.10 |
Audit-logs integration collects and parses Kubernetes audit logs.
Audit logs can be collected from managed Kubernetes services in cloud providers:
- Amazon EKS: Configure the aws-cloudwatch input to collect audit logs from a CloudWatch log group where EKS audit logs are published.
- Azure AKS: Use the azure-eventhub input to receive audit logs from an Event Hub configured to stream AKS diagnostic logs.
- Google GKE: Use the gcp-pubsub input to subscribe to a Pub/Sub topic that receives GKE audit logs via Log Router sinks.
To enable these, configure the corresponding input with access credentials and the appropriate log stream or topic.
To collect audit logs from local k8s deployments, it requires access to the log files on each Kubernetes node where the audit logs are stored.This defaults to/var/log/kubernetes/kube-apiserver-audit.log.
Example
{ "kubernetes": { "audit": { "auditID": "bcacfeaa-5ab5-48de-8bac-3a87d1474b6a", "requestReceivedTimestamp": "2022-08-31T08:09:39.660940Z", "level": "RequestResponse", "kind": "Event", "verb": "get", "annotations": { "authorization_k8s_io/decision": "allow", "authorization_k8s_io/reason": "RBAC: allowed by ClusterRoleBinding \"system:public-info-viewer\" of ClusterRole \"system:public-info-viewer\" to Group \"system:unauthenticated\"" }, "userAgent": "kube-probe/1.24", "requestURI": "/readyz", "responseStatus": { "metadata": {}, "code": 200 }, "stageTimestamp": "2022-08-31T08:09:39.662241Z", "sourceIPs": [ "172.18.0.2" ], "apiVersion": "audit.k8s.io/v1", "stage": "ResponseComplete", "user": { "groups": [ "system:unauthenticated" ], "username": "system:anonymous" } } }, "input": { "type": "filestream" }, "agent": { "name": "kind-control-plane", "id": "6e730a0c-7da5-48ff-b4c9-f6c63844975d", "type": "filebeat", "ephemeral_id": "d27511c8-9cd1-402c-8b1b-234abbd9dcae", "version": "8.4.0" }, "@timestamp": "2022-08-31T08:09:57.520Z", "ecs": { "version": "8.0.0" }, "log": { "file": { "path": "/var/log/kubernetes/kube-apiserver-audit-1.log" }, "offset": 20995 }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "kubernetes.audit_logs" }, "elastic_agent": { "id": "6e730a0c-7da5-48ff-b4c9-f6c63844975d", "version": "8.4.0", "snapshot": false }, "event": { "agent_id_status": "verified", "ingested": "2022-08-31T08:09:58Z", "dataset": "kubernetes.audit_logs" }}Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, butagent.id does not. | keyword |
| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword |
| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword |
| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword |
| agent.version | Version of the agent. | keyword |
| azure.consumer_group | Consumer group. | keyword |
| azure.enqueued_time | The enqueued time. | keyword |
| azure.eventhub | Event hub name. | keyword |
| azure.offset | Offset. | long |
| azure.partition_id | Partition ID. | keyword |
| azure.sequence_number | Sequence number. | long |
| client.ip | IP address of the client (IPv4 or IPv6). | ip |
| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| cloud.instance.id | Instance ID of the host machine. | keyword |
| cloud.instance.name | Instance name of the host machine. | keyword |
| cloud.machine.type | Machine type of the host machine. | keyword |
| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword |
| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
| cloud.region | Region in which this host, resource, or service is located. | keyword |
| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples includenginx.access,prometheus,endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value.event.dataset should have the same value asdata_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, thedataset value has additional restrictions: * Must not contain- * No longer than 100 characters | constant_keyword |
| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field withdefault. If no value is used, it falls back todefault. Beyond the Elasticsearch index naming criteria noted above,namespace value has the additional restrictions: * Must not contain- * No longer than 100 characters | constant_keyword |
| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
| ecs.version | ECS version this event conforms to.ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
| error.message | Error message. | match_only_text |
| event.action | The action captured by the event. This describes the information in the event. It is more specific thanevent.category. Examples aregroup-add,process-started,file-created. The value is normally defined by the implementer. | keyword |
| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from@timestamp, which is when the event originally occurred. It's also different fromevent.created, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this:@timestamp <event.created <event.ingested. | date |
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from_source. If users wish to override this and index this field, please seeField data types in theElasticsearch Reference. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values ofevent.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events withevent.type:info, or any events for which an outcome does not make logical sense. | keyword |
| host.architecture | Operating system architecture. | keyword |
| host.containerized | If the host is a container. | boolean |
| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
| host.hostname | Hostname of the host. It normally contains what thehostname command returns on the host machine. | keyword |
| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage ofbeat.name. | keyword |
| host.ip | Host ip addresses. | ip |
| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
| host.os.kernel | Operating system kernel version as a raw string. | keyword |
| host.os.name | Operating system name, without the version. | keyword |
| host.os.name.text | Multi-field ofhost.os.name. | match_only_text |
| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
| host.os.version | Operating system version as a raw string. | keyword |
| host.type | Type of host. For Cloud providers this can be the machine type liket2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
| input.type | Type of input. | keyword |
| kubernetes.audit.aks_metadata.category | The log category of the event being logged. Only for Azure AKS logs. | keyword |
| kubernetes.audit.aks_metadata.container_id | The ID of the container that the event is logging. Only for Azure AKS logs. | keyword |
| kubernetes.audit.aks_metadata.operation_name | The name of the operation that the event is logging. Only for Azure AKS logs. | keyword |
| kubernetes.audit.aks_metadata.pod | The name of the pod that emitted the event. Only for Azure AKS logs. | keyword |
| kubernetes.audit.aks_metadata.resource_id | The resource ID of the resource that emitted the event. Only for Azure AKS logs. | keyword |
| kubernetes.audit.aks_metadata.service_build | The build of the service that the event is logging. Only for Azure AKS logs. | keyword |
| kubernetes.audit.aks_metadata.stream | keyword | |
| kubernetes.audit.aks_metadata.time | The timestamp (UTC) of the event being logged. Only for Azure AKS logs. | date |
| kubernetes.audit.annotations.authorization_k8s_io/decision | keyword | |
| kubernetes.audit.annotations.authorization_k8s_io/reason | text | |
| kubernetes.audit.annotations.pod-security_kubernetes_io/audit-violations | text | |
| kubernetes.audit.apiVersion | Audit event api version | keyword |
| kubernetes.audit.auditID | Unique audit ID, generated for each request | keyword |
| kubernetes.audit.impersonatedUser.extra.* | Any additional information provided by the authenticator | object |
| kubernetes.audit.impersonatedUser.groups | The names of groups this user is a part of | keyword |
| kubernetes.audit.impersonatedUser.uid | A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs | keyword |
| kubernetes.audit.impersonatedUser.username | The name that uniquely identifies this user among all active users | keyword |
| kubernetes.audit.kind | Kind of the audit event | keyword |
| kubernetes.audit.level | AuditLevel at which event was generated | keyword |
| kubernetes.audit.logName | keyword | |
| kubernetes.audit.objectRef.apiGroup | The name of the API group that contains the referred object. The empty string represents the core API group. | keyword |
| kubernetes.audit.objectRef.apiVersion | The version of the API group that contains the referred object | keyword |
| kubernetes.audit.objectRef.name | keyword | |
| kubernetes.audit.objectRef.namespace | keyword | |
| kubernetes.audit.objectRef.resource | keyword | |
| kubernetes.audit.objectRef.resourceVersion | keyword | |
| kubernetes.audit.objectRef.subresource | keyword | |
| kubernetes.audit.objectRef.uid | keyword | |
| kubernetes.audit.operation.first | boolean | |
| kubernetes.audit.operation.id | keyword | |
| kubernetes.audit.operation.last | boolean | |
| kubernetes.audit.operation.producer | keyword | |
| kubernetes.audit.protoPayload.@type | keyword | |
| kubernetes.audit.protoPayload.authenticationInfo.principalEmail | keyword | |
| kubernetes.audit.protoPayload.authorizationInfo.granted | boolean | |
| kubernetes.audit.protoPayload.authorizationInfo.permission | keyword | |
| kubernetes.audit.protoPayload.authorizationInfo.resource | keyword | |
| kubernetes.audit.protoPayload.methodName | keyword | |
| kubernetes.audit.protoPayload.requestMetadata.callerIp | ip | |
| kubernetes.audit.protoPayload.requestMetadata.callerSuppliedUserAgent | keyword | |
| kubernetes.audit.protoPayload.resourceName | keyword | |
| kubernetes.audit.protoPayload.serviceName | keyword | |
| kubernetes.audit.requestObject.roleRef.name | keyword | |
| kubernetes.audit.requestObject.rules | nested | |
| kubernetes.audit.requestObject.spec.containers.command | text | |
| kubernetes.audit.requestObject.spec.containers.image | keyword | |
| kubernetes.audit.requestObject.spec.containers.name | keyword | |
| kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation | boolean | |
| kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add | keyword | |
| kubernetes.audit.requestObject.spec.containers.securityContext.privileged | boolean | |
| kubernetes.audit.requestObject.spec.containers.securityContext.procMount | keyword | |
| kubernetes.audit.requestObject.spec.containers.securityContext.runAsGroup | integer | |
| kubernetes.audit.requestObject.spec.containers.securityContext.runAsNonRoot | boolean | |
| kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser | integer | |
| kubernetes.audit.requestObject.spec.containers.securityContext.seccompProfile.type | keyword | |
| kubernetes.audit.requestObject.spec.containers.volumeMounts | flattened | |
| kubernetes.audit.requestObject.spec.hostIPC | boolean | |
| kubernetes.audit.requestObject.spec.hostNetwork | boolean | |
| kubernetes.audit.requestObject.spec.hostPID | boolean | |
| kubernetes.audit.requestObject.spec.restartPolicy | keyword | |
| kubernetes.audit.requestObject.spec.securityContext.runAsGroup | integer | |
| kubernetes.audit.requestObject.spec.securityContext.runAsNonRoot | boolean | |
| kubernetes.audit.requestObject.spec.securityContext.runAsUser | integer | |
| kubernetes.audit.requestObject.spec.serviceAccountName | keyword | |
| kubernetes.audit.requestObject.spec.type | keyword | |
| kubernetes.audit.requestObject.spec.volumes.hostPath | flattened | |
| kubernetes.audit.requestReceivedTimestamp | Time the request reached the apiserver | date |
| kubernetes.audit.requestURI | RequestURI is the request URI as sent by the client to a server | keyword |
| kubernetes.audit.resource.labels.cluster_name | keyword | |
| kubernetes.audit.resource.labels.location | keyword | |
| kubernetes.audit.resource.labels.project_id | keyword | |
| kubernetes.audit.resource.type | keyword | |
| kubernetes.audit.responseObject.roleRef.kind | keyword | |
| kubernetes.audit.responseObject.rules | nested | |
| kubernetes.audit.responseObject.spec.containers.securityContext.allowPrivilegeEscalation | boolean | |
| kubernetes.audit.responseObject.spec.containers.securityContext.privileged | boolean | |
| kubernetes.audit.responseObject.spec.containers.securityContext.runAsUser | integer | |
| kubernetes.audit.responseObject.spec.containers.volumeMounts | flattened | |
| kubernetes.audit.responseObject.spec.hostIPC | boolean | |
| kubernetes.audit.responseObject.spec.hostNetwork | boolean | |
| kubernetes.audit.responseObject.spec.hostPID | boolean | |
| kubernetes.audit.responseObject.spec.restartPolicy | keyword | |
| kubernetes.audit.responseObject.spec.volumes.hostPath | flattened | |
| kubernetes.audit.responseStatus.code | Suggested HTTP return code for this status, 0 if not set | integer |
| kubernetes.audit.responseStatus.message | A human-readable description of the status of this operation | text |
| kubernetes.audit.responseStatus.reason | A machine-readable description of why this operation is in the "Failure" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it | keyword |
| kubernetes.audit.responseStatus.status | Status of the operation | keyword |
| kubernetes.audit.sourceIPs | Source IPs, from where the request originated and intermediate proxies | text |
| kubernetes.audit.stage | Stage of the request handling when this event instance was generated | keyword |
| kubernetes.audit.stageTimestamp | Time the request reached current audit stage | date |
| kubernetes.audit.user.extra.* | Any additional information provided by the authenticator | object |
| kubernetes.audit.user.groups | The names of groups this user is a part of | keyword |
| kubernetes.audit.user.uid | A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs | keyword |
| kubernetes.audit.user.username | The name that uniquely identifies this user among all active users | keyword |
| kubernetes.audit.userAgent | UserAgent records the user agent string reported by the client. Note that the UserAgent is provided by the client, and must not be trusted | text |
| kubernetes.audit.verb | Verb is the kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method | keyword |
| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword |
| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword |
| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword |
| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword |
| log.file.inode | Inode number of the log file. | keyword |
| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword |
| log.offset | Offset of the entry in the log file. | long |
| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
| orchestrator.api_version | API version being used to carry out the action | keyword |
| orchestrator.cluster.id | Unique ID of the cluster. | keyword |
| orchestrator.cluster.name | Name of the cluster. | keyword |
| orchestrator.namespace | Namespace in which the action is taking place. | keyword |
| orchestrator.resource.name | Name of the resource being acted upon. | keyword |
| orchestrator.resource.type | Type of resource being acted upon. | keyword |
| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword |
| related.ip | All of the IPs seen on your event. | ip |
| related.user | All the user names or other user identifiers seen on the event. | keyword |
| source.ip | IP address of the source (IPv4 or IPv6). | ip |
| tags | List of keywords used to tag each event. | keyword |
| user.id | Unique identifier of the user. | keyword |
| user.name | Short name or login of the user. | keyword |
| user.name.text | Multi-field ofuser.name. | match_only_text |
| user_agent.original | Unparsed user_agent string. | keyword |
| user_agent.original.text | Multi-field ofuser_agent.original. | match_only_text |
This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.
Changelog
| Version | Details | Minimum Kibana version |
|---|---|---|
| 1.84.1 | Bug fix (View pull request) Add AWS authentication variables for CloudWatch input in audit_logs data stream and fix api_timeout variable name typo. | 9.3.0 9.2.4 9.1.10 |
| 1.84.0 | Enhancement (View pull request) Add kubernetes.container.status.last_terminated_exitcode field to the state_container data stream. | 9.3.0 9.2.4 9.1.10 |
| 1.83.0 | Enhancement (View pull request) Update the container logs documentation on how to ingest rotated logs, including GZIP-compressed logs. | 9.0.0 8.15.0 |
| 1.82.1 | Bug fix (View pull request) Fix field rename error in audit logs ingest pipeline. | 9.0.0 8.15.0 |
| 1.82.0 | Enhancement (View pull request) Allow to configure container_logs input id and update container logs documentation to include how to ingest rotated log files. | 9.0.0 8.15.0 |
| 1.81.1 | Bug fix (View pull request) Fix processing of Azure AKS audit logs. | 9.0.0 8.15.0 |
| 1.81.0 | Enhancement (View pull request) Support for collecting audit logs from cloud providers. | 9.0.0 8.15.0 |
| 1.80.2 | Bug fix (View pull request) Fixed typos in ssl node descriptions in manifest.yml files. | 9.0.0 8.15.0 |
| 1.80.1 | Bug fix (View pull request) Added description to ssl.certificate_authorities and ssl.verification_mode, including links to documentation. | 9.0.0 8.15.0 |
| 1.80.0 | Enhancement (View pull request) Add support for Kibana 9.0.0 | 9.0.0 8.15.0 |
| 1.70.2 | Enhancement (View pull request) Update the container logs documentation | 8.15.0 |
| 1.70.1 | Bug fix (View pull request) Fix kubernetes.pod.cpu.usage.nanocores unit | 8.15.0 |
| 1.70.0 | Enhancement (View pull request) Make fingerprint configurable | 8.15.0 |
| 1.69.0 | Enhancement (View pull request) Added datatype for audit log field annotations.pod-security_kubernetes_io/audit-violation | 8.15.0 |
| 1.68.1 | Bug fix (View pull request) Fix Overview dashboard Kibana id | 8.15.0 |
| 1.68.0 | Enhancement (View pull request) Use filestream fingerprint mode by default for container_logs datastream | 8.15.0 |
| 1.67.0 | Enhancement (View pull request) Add both pod.{cpu,memory}.usage.node.pct and pod.{cpu,memory}.usage.limit.pct metrics to the Overview dashboard | 8.15.0 |
| 1.66.4 | Bug fix (View pull request) Updating Cluster Overview Dashboard to use container.id as filter and replaced median functions from visualisations | 8.15.0 |
| 1.66.3 | Enhancement (View pull request) Updating mapping of the field groups to keyword in kubernetes.audit_logs | 8.15.0 |
| 1.66.2 | Bug fix (View pull request) Fixing missing processor block in kubernetes.audit_logs | 8.15.0 |
| 1.66.1 | Bug fix (View pull request) Fixing Title in Volumes Dashboard | 8.15.0 |
| 1.66.0 | Enhancement (View pull request) Adding Volume Usage per pod in Kubernetes Volume Dashboard | 8.15.0 |
| 1.65.0 | Enhancement (View pull request) Add last_terminated_timestamp metric to the kubernetes.state_container datastream | 8.15.0 |
| 1.64.0 | Enhancement (View pull request) Move namespace filter to the group level configuration | 8.15.0 |
| 1.63.1 | Bug fix (View pull request) Fix typo in kubernetes.audit ingest pipeline | 8.15.0 |
| 1.63.0 | Enhancement (View pull request) Add pod.status_reason and pod.status.ready_time fields to the state_pod datastream | 8.15.0 |
| 1.62.1 | Bug fix (View pull request) Fix kubernetes.audit ingest pipeline | 8.14.0 |
| 1.62.0 | Enhancement (View pull request) Add new mappings to the kubernetes.audit datastream | 8.14.0 |
| 1.61.1 | Bug fix (View pull request) Remove percent unit for pod memory metrics | 8.14.0 |
| 1.61.0 | Enhancement (View pull request) Remove deprecated fields and add missing status.last_terminated_reason metric | 8.14.0 |
| 1.60.0 | Bug fix (View pull request) Updating Memory used vs total memory andCores used vs total cores visualisations in Cluster Overview Dashboard | 8.14.0 |
| 1.59.0 | Enhancement (View pull request) Add metadata fields to state_namespace data stream. | 8.14.0 |
| 1.58.0 | Enhancement (View pull request) Migrate to format_version v3. | 8.12.0 |
| 1.57.0 | Enhancement (View pull request) Container logs preserve original content based on pod annotations. | 8.12.0 |
| 1.56.0 | Enhancement (View pull request) Add new fields to API server, state_node and persistent volume claim data streams. | 8.12.0 |
| 1.55.1 | Enhancement (View pull request) Modify the field definitions to reference ECS. | 8.11.0 |
| 1.55.0 | Enhancement (View pull request) Remove extra base fields from state data streams. | 8.11.0 |
| 1.54.0 | Enhancement (View pull request) Expand condition support to remaining inputs | 8.11.0 |
| 1.53.0 | Enhancement (View pull request) Update size of the metric visualizations | 8.11.0 |
| 1.52.0 | Enhancement (View pull request) Add new data stream state_namespace. | 8.11.0 |
| 1.51.0 | Enhancement (View pull request) Migrate Deployments dashboard visualizations to lens. | 8.10.2 |
| 1.50.0 | Enhancement (View pull request) Migrate Cronjobs dashboard visualizations to lens | 8.10.2 |
| 1.49.0 | Enhancement (View pull request) Migrate DaemonSets dashboard visualizations to lens. | 8.10.2 |
| 1.48.0 | Enhancement (View pull request) Migrate StatefulSets dashboard visualizations to lens. | 8.10.2 |
| 1.47.0 | Enhancement (View pull request) Migrate Jobs dashboard visualizations to lens. | 8.10.2 |
| 1.46.0 | Enhancement (View pull request) Adapt fields for changes in file system info | 8.10.1 |
| 1.45.0 | Enhancement (View pull request) Reroute container logs based on pod annotations. | 8.10.0 |
| 1.44.0 | Enhancement (View pull request) Introducing kubernetes.deployment.status.* metrics | 8.10.0 |
| 1.43.1 | Enhancement (View pull request) Updating index pattern for adHocDataviews for CCS use case | 8.8.0 |
| 1.43.0 | Enhancement (View pull request) Expand index pattern for adHocDataviews for CCS use case | 8.8.0 |
| 1.42.0 | Enhancement (View pull request) Add permissions to reroute events to logs-- for container_logs datastream | 8.8.0 |
| 1.41.0 | Enhancement (View pull request) Enable time series data streams for the metrics datasets. This improves storage usage and query performance. For more details, seehttps://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html | 8.8.0 |
| 1.40.0 | Bug fix (View pull request) Fix system tests for kubernetes integration for k8s v1.27.0 | 8.8.0 |
| 1.40.0-beta.2 | Bug fix (View pull request) Fix volume dashboard. | — |
| 1.40.0-beta.1 | Bug fix (View pull request) Fix proxy and scheduler visualization with missing sort field. | — |
| 1.40.0-beta | Enhancement (View pull request) Enable TSDS for metrics data_streams, except events for beta testing | — |
| 1.39.0 | Enhancement (View pull request) Remove container.name as a dimension. | 8.6.1 |
| 1.38.1 | Enhancement (View pull request) Switch max to last value on counter formulas and add missing sort field to proxy, controller manager and scheduler dashboard. | 8.6.1 |
| 1.38.0 | Enhancement (View pull request) Fix Pod dashboard and remove some visualisations from Api Server dashboard to support TSDB migration | 8.6.1 |
| 1.37.0 | Enhancement (View pull request) Update proxy, controller manager and scheduler dashboard to support TSDB. | 8.6.1 |
| 1.36.0 | Enhancement (View pull request) Add container.name dimension to container data stream | 8.6.1 |
| 1.35.0 | Enhancement (View pull request) Add NetworkUnavailable condition to state node | 8.6.1 |
| 1.34.1 | Enhancement (View pull request) Add support for TSDB on all metric data streams except the state ones | 8.6.1 |
| 1.34.0 | Enhancement (View pull request) Add support for TSDB on all state metric data streams | 8.6.1 |
| 1.33.0 | Enhancement (View pull request) Add data_stream.dataset setting and custom yaml input. | 8.6.1 |
| 1.32.2 | Enhancement (View pull request) Added link to docs for condition filter | 8.6.1 |
| 1.32.1 | Enhancement (View pull request) Added categories and/or subcategories. | 8.6.1 |
| 1.32.0 | Enhancement (View pull request) Add documentation for how to install alerts | 8.6.1 |
| 1.31.2 | Enhancement (View pull request) Add system testing for state service datastream | 8.6.1 |
| 1.31.1 | Enhancement (View pull request) Update controller manager, proxy and scheduler metrics and dashboards | 8.6.1 |
| 1.31.0 | Enhancement (View pull request) Use datas_tream.dataset as pre filters for dashboards and remove tags | 8.6.0 |
| 1.30.0 | Enhancement (View pull request) Add missing namespace_uid and namespace_labels fields | 8.6.0 |
| 1.29.2 | Bug fix (View pull request) Fix function for memory node usage | 8.5.0 |
| 1.29.1 | Bug fix (View pull request) Fix removed condition setting for container_logs | 8.5.0 |
| 1.29.0 | Bug fix (View pull request) Remove "Control Plane" column from Node Information table | 8.5.0 |
| 1.28.2 | Bug fix (View pull request) Fix Pod Memory usage panel title | 8.5.0 |
| 1.28.1 | Enhancement (View pull request) Delete statefulset, job and cronjob visualizations from Cluster Overview dashboard | 8.5.0 |
| 1.28.0 | Enhancement (View pull request) Adding banner for Kube-state metrics | 8.5.0 |
| 1.27.1 | Enhancement (View pull request) Fix typo in cluster overview dashboard | 8.5.0 |
| 1.27.0 | Enhancement (View pull request) New cluster overview dashboard | 8.5.0 |
| 1.26.0 | Enhancement (View pull request) Add processors configuration option for Kubernetes data_streams | 8.4.0 |
| 1.25.0 | Enhancement (View pull request) Add condition configuration option to container logs data stream | 8.4.0 |
| 1.24.0 | Enhancement (View pull request) Add fields to audit logs data stream | 8.4.0 |
| 1.23.1 | Enhancement (View pull request) Add missing dimension fields | 8.4.0 |
| 1.23.0 | Enhancement (View pull request) Add fields to audit logs data stream | 8.4.0 |
| 1.22.1 | Enhancement (View pull request) Fix overlapping fields in state_job data stream | 8.4.0 |
| 1.22.0 | Enhancement (View pull request) Update apiserver and controllermanaged deprecated fields and dashboards | 8.4.0 |
| 1.21.2 | Bug fix (View pull request) add container ID and pod name as part of Kubernetes Cotainer Logs filestream input | 8.3.0 |
| 1.21.1 | Enhancement (View pull request) improved the wording of the link to Kubernetes documentation | 8.3.0 |
| 1.21.0 | Enhancement (View pull request) Add new dashboards | 8.3.0 |
| 1.20.0 | Enhancement (View pull request) Change fields type for audit_logs data_stream to use requestObject andresponseObject fields of audit events. Disable dynamic mapping for audit_logs data_stream. Dropkubernetes.audit.responseObject.metadata andkubernetes.audit.requestObject.metadata | 8.2.0 |
| 1.19.1 | Enhancement (View pull request) Add documentation for volume field | 8.2.0 |
| 1.19.0 | Enhancement (View pull request) Add missed ecs fields | 8.2.0 |
| 1.18.1 | Enhancement (View pull request) Add documentation for multi-fields | 8.2.0 |
| 1.18.0 | Enhancement (View pull request) Fix k8s overview dashboard | 8.2.0 |
| 1.17.3 | Bug fix (View pull request) Remove incorrectly tagged boolean dimension | 8.0.0 7.16.0 |
| 1.17.2 | Bug fix (View pull request) Add missing metadata fields | 8.0.0 7.16.0 |
| 1.17.1 | Enhancement (View pull request) Improve default ndjson parser configuration | — |
| 1.17.0 | Enhancement (View pull request) Disable audit logs collection by default | — |
| 1.16.0 | Enhancement (View pull request) Documentation improvements | — |
| 1.15.0 | Enhancement (View pull request) Add ssl.certificate_authorities configuration | — |
| 1.14.3 | Bug fix (View pull request) Add missing job.name and cronjob.name fields to state_container datastream | — |
| 1.14.2 | Bug fix (View pull request) Add missing job.name and cronjob.name fields to container related datastreams | — |
| 1.14.1 | Bug fix (View pull request) Add missing job.name and cronjob.name fields added by metadata generators | — |
| 1.14.0 | Enhancement (View pull request) Tune state_metrics settings | — |
| 1.13.0 | Enhancement (View pull request) Update to ECS 8.0 | — |
| 1.12.0 | Enhancement (View pull request) Expose add_recourse_metadata configuration option | — |
| 1.11.0 | Enhancement (View pull request) Add memory.working_set.limit.pct for pod and container data streams | — |
| 1.10.0 | Enhancement (View pull request) Add leader election in state_job data stream | — |
| 1.9.0 | Enhancement (View pull request) Add missing fields | 8.0.0 7.16.0 |
| 1.8.1 | Bug fix (View pull request) Set kubernetes.volume.fs.used.pct to scaled_float | 8.0.0 7.16.0 |
| 1.8.0 | Enhancement (View pull request) Support json logs parsing | 8.0.0 7.16.0 |
| 1.7.0 | Enhancement (View pull request) Add new audit logs data stream in kubernetes integration | 8.0.0 7.16.0 |
| 1.6.0 | Enhancement (View pull request) Add skip_older option for event datastream | 8.0.0 7.16.0 |
| 1.5.0 | Enhancement (View pull request) Revert Kubernetes namespace field breaking change | 8.0.0 7.16.0 |
| 1.4.2 | Enhancement (View pull request) Add dimension fields | — |
| 1.4.1 | Enhancement (View pull request) Remove overriding of index pattern on the Kubernetes overview dashboard | 8.0.0 |
| 1.4.0 | Enhancement (View pull request) Use filestream input for container_logs data stream | — |
| 1.3.3 | Bug fix (View pull request) Fix conditions of data_streams that are based on k8s labels & add condition in pipelines | — |
| 1.3.2 | Enhancement (View pull request) Set default host for proxy to localhost | — |
| 1.3.1 | Enhancement (View pull request) Uniform with guidelines | — |
| 1.3.0 | Enhancement (View pull request) Add container_logs ecs fields | — |
| 1.2.1 | Bug fix (View pull request) Update Kubernetes cluster_ip field type | — |
| 1.2.0 | Enhancement (View pull request) Update Kubernetes namespace field | — |
| 1.1.1 | Bug fix (View pull request) Update Kubernetes integration Readme | — |
| 1.1.0 | Enhancement (View pull request) Update to ECS 1.12.0 | 7.15.0 |
| 1.0.0 | Enhancement (View pull request) Release Kubernetes as GA | — |
| 0.14.1 | Enhancement (View pull request) Update default host in kubernetes proxy data stream in kubernetes integration | — |
| 0.14.0 | Enhancement (View pull request) Add new container logs data stream in kubernetes integration | — |
| 0.13.0 | Enhancement (View pull request) Leverage dynamic kubernetes provider for controller and scheduler datastream | — |
| 0.12.2 | Bug fix (View pull request) Add missing field "kubernetes.daemonset.name" field for pod and container data streams | — |
| 0.12.1 | Bug fix (View pull request) Add missing cluster filter for "orchestrator.cluster.name" field in [Metrics Kubernetes] Overview dashboard and Dashboard section in the integration overview page | — |
| 0.12.0 | Enhancement (View pull request) Update kubernetes package ecs fields with orchestrator.cluster.url and orchestrator.cluster.name | — |
| 0.11.1 | Enhancement (View pull request) Escape special characters in docs | — |
| 0.11.0 | Enhancement (View pull request) Update documentation to fit mdx spec | — |
| 0.10.0 | Enhancement (View pull request) Update integration description | — |
| 0.9.1 | Bug fix (View pull request) Add missing field "kubernetes.daemonset.name" field for state_pod and state_container | — |
| 0.9.0 | Enhancement (View pull request) Enhance kubernetes package with state_job data stream | — |
| 0.8.0 | Enhancement (View pull request) Leverage leader election in kubernetes integration | — |
| 0.7.0 | Enhancement (View pull request) Add _meta information to Kubernetes fields | — |
| 0.6.0 | Enhancement (View pull request) Introduce kubernetes package granularity using input_groups | — |
| 0.5.3 | Enhancement (View pull request) Add missing field "kubernetes.statefulset.replicas.ready" | — |
| 0.5.2 | Bug fix (View pull request) Fix stack compatability | — |
| 0.5.1 | Bug fix (View pull request) Fix references to env variables | — |
| 0.5.0 | Enhancement (View pull request) Add missing field "kubernetes.selectors.*" and extra https settings for controllermanager and scheduler datastreams | — |
| 0.4.5 | Enhancement (View pull request) Add missing field "kubernetes.pod.ip" | — |
| 0.4.4 | Enhancement (View pull request) Updating package owner | — |
| 0.4.3 | Bug fix (View pull request) Correct sample event file. | — |
| 0.4.2 | Bug fix (View pull request) Change kibana.version constraint to be more conservative. | — |
| 0.4.1 | Enhancement (View pull request) Add missing fields | — |
| 0.1.0 | Enhancement (View pull request) initial release | — |