From 1704f10405c67d04a3161aaeb9cba5a83e32dde8 Mon Sep 17 00:00:00 2001 From: Fernando Ripoll Date: Thu, 30 Nov 2023 23:07:49 +0100 Subject: [PATCH] Update audit-logs-troubleshooting.md with Loki example (#136) * Update audit-logs-troubleshooting.md with Lokie example * Update content/docs/support-and-ops/ops-recipes/audit-logs-troubleshooting.md --- .../ops-recipes/audit-logs-troubleshooting.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/content/docs/support-and-ops/ops-recipes/audit-logs-troubleshooting.md b/content/docs/support-and-ops/ops-recipes/audit-logs-troubleshooting.md index c48000e..0a41bd9 100644 --- a/content/docs/support-and-ops/ops-recipes/audit-logs-troubleshooting.md +++ b/content/docs/support-and-ops/ops-recipes/audit-logs-troubleshooting.md @@ -47,3 +47,13 @@ cat /tmp/audit.log | jq '. | select(.user.username|test("joe."))' ```bash cat /tmp/audit.log | jq '. | select(.objectRef.name=="prometheus-prometheus-exporters-tls-assets")' ``` + +## Using Loki + +Today all AWS (vintage and CAPA) Management Clusters have Loki instance deployed with audit logs included. So we can leverage on Loki to get the logs. Future weeks we will extend Loki to vintage Workload Clusters too. Example of query: + +``` +{cluster_id="myCluster",scrape_job="audit-logs"} |= `` | json | user_username=`johndoe@example.com` +``` + +__Note__: Use `_` in json filters to access properties. In the example query above `user.username` is specified as `user_username`.