Guide
  1. Monitoring
  2. Logs
  3. Get started with logs

Quick start: Kubernetes API audit logs

Use this guide to quickly set up delivery of Kubernetes API audit logs from LKE Enterprise clusters to your chosen destination. To learn more about this log type, see Kubernetes API audit logs.

This guide focuses on Cloud Manager. For a similar workflow using the API, see Configure audit log delivery.

Before you begin

Before creating a Kubernetes API audit log stream, make sure you have the following:

  • Access to this feature. To request access, create a support ticket requesting that Kubernetes API audit logs be enabled on your account.
  • The required authentication and access permissions for managing streams and destinations.
  • The configuration details for your destination (Object Storage or Custom HTTPS endpoint).
  • The list of LKE Enterprise clusters you want to include in your audit logs. These clusters must be in a supported region.

Step 1: Prepare your destination

Before creating a stream, make sure your Object Storage or Custom HTTPS destination is set up and ready to receive logs.

Object Storage bucket

To ensure logs stay secure and tamper-resistant, configure your bucket in a way that prevents accidental changes, unauthorized access, or early deletion. This includes:

  • Creating a bucket for storing logs with Object Lock enabled to prevent deletion or overwriting before the retention period ends
  • Configuring appropriate retention settings
  • Generating access keys with permission to write to the bucket
📘

Object Lock requires S3 API

Object Lock must be enabled when the bucket is created—it cannot be added later. To enable it, use the S3 API. Object Lock cannot be enabled through the Linode API or Cloud Manager.

For guidance, see Protect logs in Object Storage.

Custom HTTPS endpoint

To deliver logs to a custom HTTPS destination, ensure your endpoint is set up and ready to receive log data. You'll need to:

  • Provide a valid HTTPS endpoint that can accept incoming log data
  • Ensure the endpoint is accessible from the log delivery service
  • Provide the required connection details
📘

Use Akamai CDN IP address lists for ACL configuration

If your destination is protected by a firewall or IP-based access control list (ACL), configure it using the same IP address lists as origin IP access lists for the Akamai CDN.

Step 2: Enable audit logging on your clusters

Before creating a Kubernetes API audit log stream, you must enable audit logging on each cluster you want to include. Currently, this must be done using the API.

  1. Run the Update a Kubernetes cluster operation for an existing cluster, or the Create a Kubernetes cluster operation to create a new cluster.
  2. Set audit_logs_enabled: true in the control_plane object:

"control_plane": {  
  "audit_logs_enabled": true  
},

Step 3: Create a log stream

To start delivering logs, create a log stream. This stream defines where logs should be sent.

To create a stream in Cloud Manager:

  1. Log in to Cloud Manager, expand Monitor in the main menu, and select Logs.

  2. On the Streams tab, click Create Stream.

  3. Enter a name for your stream.

  4. Select the stream type Kubernetes audit logs.

  5. Select the clusters to include. Only the clusters you enabled in Step 2 can be selected.

  6. Select the destination type: Object Storage or Custom HTTPS.

  7. Type a unique name for your destination.

    📘

    Use an existing destination

    You can create a destination before creating a log stream on the Destinations page. If you've already created a destination, enter it's name—the destination details are automatically populated.

  8. Enter the destination details.

    • Object Storage bucket:

      • Endpoint associated with your bucket's region
      • Name of the bucket
      • Prefix used to organize log files within the bucket
      • Access key ID used for authentication
      • Secret access key used with the access key ID

    • Custom HTTPS endpoint:

      • Endpoint (HTTPS URL) to receive log data
      • Authentication type used for requests: None, which requires no authentication, or Basic, which requires a username and password
      • (optional) Content type that defines the format and character encoding of the delivered log data
      • (optional) Custom HTTPS Headers. included with each request, including name and value
      • (optional) TLS certificate information

    See Log destinations for more information about these fields.

  9. Review your configuration details to ensure everything is correct. You can also test your connection by clicking Test Connection in the right pane.

  10. Click Create Stream.

Step 4: Verify log delivery

After creating your stream, confirm that logs are being delivered to your destination.

  • Check your stream's status on the Streams tab of the Logs page in Cloud Manager. A stream's status changes from Provisioning to Active once provisioning is complete.
  • Allow up to 45 minutes for logs to begin arriving at the destination.
  • Once logs are being delivered, confirm the log format and data are correct.

Updated about 1 hour ago