This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 85%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGT%3C/text%3E%3C/svg%3E)
Hi everyone,
currently we're trying out enabling kube-audit-admin diagnostic setting in our dev cluster to better monitor our cluster actions and suspicious activity. Since it's only a dev cluster I enable the diagnostic settings for tests and usually delete the diagnostic settings and after I've tried out what I wanted and it usually works without problems. However since yesterday the logs aren't being ingested anymore by our log analytics workspace, even when the diagnostic setting is enabled with the correct target log-analytics-workspace.
We also get a warning, that the size of the audit log is too large and has been trimmed, however as I can tell, this was always the case, and there doesn't seem a way to adjust the kube-audit-admin logs anyway, since there's no way to change the audit policy of the cluster.
Does anyone have a similar problem as me? Did something change in the behaviour of audit logs in AKS or the Log analytics workspaces?
The only change I can find regarding the kube audit logs is from the AKS Release 2022-08-14 and I don't really understand what exactly changed here.
I hope someone can point me in the right direction :) Thanks for reading
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 50%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
I'm experiencing similar issues, but I cannot seem to get any platform log data ingested. I have tried both event hubs and log analytics targets for the diagnostic settings.
This was working for our AKS instances as recently as two weeks ago, and I am able to ingest logs for other resources, such as Key Vault.
@J Steenbekkers , are you still having an issue with ingestion?
@Ryan Hill
I am seeing logs being ingested now. Was there any outage reported? Where is the best place to determine whether these types of issues exist (I did not receive any sort of notice like OP did)?
The problem has been resolved, like I described in my answer.
Try subscribing to Azure Service Health Service, then you will have alerts like these :)
@J Steenbekkers In addition, you can check https://techcommunity.microsoft.com/t5/azure-monitor-status-archive/bg-p/AzureMonitorStatusBlog for any Azure Monitor related issues.
@J Steenbekkers but to answer your question, I didn't hear of any outages. This may have easily been a regional transient issue.
I guess there was a problem with the Log Analytics service in West Europe...
This morning the kube audit logs are being ingested again by our log-analytics workspace.
