KubeArmor's relay server collects all messages, alerts, and system logs generated by KubeArmor in each node, and then it allows other logging systems to simply collect those through the service ('kubearmor.kube-system.svc') of the relay server.
By default, the relay server is deployed with KubeArmor.
KubeArmor emits following types of events:
- Alert: When policy is violated
- Log: When a pod executes a syscall or any other action (such as file access, process creation, network socket create/connect/accept etc)
- Message: Internal Kubearmor daemon messages
There are two approaches that one can take to stream the kubearmor events.
- Using kubearmor-relay stdout: This is the easiest way i.e. if the SIEM tool connects to the k8s pod logging interface then all the kubearmor events (across all nodes) are available at the kubearmor-relay stdout. Fluentd/Microsoft Sentinel does support this mode wherein the
stdoutof the pod can be streamed to the SIEM tool. - Creating an adapter for the SIEM tool. Kubearmor-relay events could be accessed using its GRPC server (ref code) and then the events could be streamed to the SIEM tool (splunk/elk/MS-sentinel ...).
Microsoft Sentinel is used as an example in this figure