Kubernetes Audit Logs
Kubernetes API server audit log events — CRUD operations on cluster resources, health probes, RBAC access checks, watch streams, pod exec/attach, and API discovery across a multi-namespace production cluster.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/kubernetes-audit/generator.yml \
--id kubernetes-audit \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| health-probe | Health/readiness/liveness probe checks | ~25% | web |
| get-resource | GET single resource (pods, services, configmaps, secrets) | ~17% | web |
| list-resource | LIST resources across namespaces | ~13% | web |
| watch-resource | Long-running WATCH streams from controllers/operators | ~15% | web |
| api-discovery | API discovery endpoints (/api, /apis, /openapi) | ~10% | web |
| create-resource | CREATE new resources (pods, deployments, services) | ~5% | web |
| update-resource | UPDATE/PATCH existing resources and status subresources | ~5% | web |
| delete-resource | DELETE resources | ~2% | web |
| rbac-access | RBAC operations (clusterroles, roles, bindings) | ~5% | iam |
| exec-attach | Pod exec, attach, port-forward, and log access | ~3% | process |
Realism Features
- Jinja2 base template macro eliminates boilerplate across 10 templates
- Multi-namespace cluster — 8 namespaces with weighted selection
- Error injection (~3%) — 403, 404, 409, 422 status codes
- Realistic user agents — kubectl, kube-probe, controller-manager, operator SDKs
- 5 identity types — human users, service accounts, system components
- Full audit metadata — auditID, request/stage timestamps, annotations
Sample Output
{
"@timestamp": "2026-03-06T14:30:45.123456+00:00",
"agent": {
"ephemeral_id": "d27511c8-9cd1-402c-8b1b-234abbd9dcae",
"id": "6e730a0c-7da5-48ff-b4c9-f6c63844975d",
"name": "kind-control-plane",
"type": "filebeat",
"version": "8.17.0"
},
"ecs": {"version": "8.17.0"},
"data_stream": {
"dataset": "kubernetes.audit_logs",
"namespace": "default",
"type": "logs"
},
"event": {
"action": "get",
"category": ["web"],
"dataset": "kubernetes.audit_logs",
"kind": "event",
"module": "kubernetes",
"outcome": "success",
"type": ["access"]
},
"kubernetes": {
"audit": {
"auditID": "bcacfeaa-5ab5-48de-8bac-3a87d1474b6a",
"apiVersion": "audit.k8s.io/v1",
"kind": "Event",
"level": "RequestResponse",
"stage": "ResponseComplete",
"verb": "get",
"requestURI": "/api/v1/namespaces/production/pods/api-server-7b8c9d-x4k2m",
"user": {
"username": "alice.chen@acme.io",
"groups": ["system:authenticated", "developers"]
},
"sourceIPs": ["10.0.15.42"],
"userAgent": "kubectl/v1.29.2 (linux/amd64)",
"responseStatus": {"metadata": {}, "code": 200},
"requestReceivedTimestamp": "2026-03-06T14:30:45.123456Z",
"stageTimestamp": "2026-03-06T14:30:45.124567Z"
}
},
"orchestrator": {
"cluster": {"name": "production-cluster"},
"type": "kubernetes"
},
"related": {"ip": ["10.0.15.42"], "user": ["alice.chen@acme.io"]},
"source": {"ip": "10.0.15.42"},
"tags": ["forwarded", "kubernetes-audit"],
"user": {"name": "alice.chen@acme.io"},
"user_agent": {"original": "kubectl/v1.29.2 (linux/amd64)"}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| agent_id | 6e730a0c-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Elastic Agent version |
| agent_name | kind-control-plane | Agent hostname |
| cluster_name | production-cluster | Kubernetes cluster name |
| error_rate | 3 | Error injection rate (percentage, 0-100) |
Related Generators
AWS CloudTrail Management Events
AWS CloudTrail audit trail — API calls across EC2, IAM, STS, and S3 from a multi-account organization. Includes console logins, role assumptions, error injection, and 4 identity types.
AWS GuardDuty Findings
AWS GuardDuty threat detection findings across EC2, IAM, and S3 resources. Covers 8 categories — Recon, UnauthorizedAccess, Policy, Trojan, Impact, CryptoCurrency, Stealth, and Backdoor — with 27 finding types, 10 threat actor IPs, and geo/ASN enrichment.
AWS VPC Flow Logs
AWS VPC Flow Logs (v5) — network traffic records across multiple accounts, VPCs, and subnets. TCP/UDP/ICMP flows with ACCEPT/REJECT actions, NAT gateway traffic, and realistic byte/packet distributions.