AKS kube-audit-admin diagnostic setting logs aren't ingested by log-analytics-workspace since yesterday

Gessel, Thomas 36 Reputation points
2022-09-23T08:31:09.567+00:00

Hi everyone,
currently we're trying out enabling kube-audit-admin diagnostic setting in our dev cluster to better monitor our cluster actions and suspicious activity. Since it's only a dev cluster I enable the diagnostic settings for tests and usually delete the diagnostic settings and after I've tried out what I wanted and it usually works without problems. However since yesterday the logs aren't being ingested anymore by our log analytics workspace, even when the diagnostic setting is enabled with the correct target log-analytics-workspace.
244194-image.png

We also get a warning, that the size of the audit log is too large and has been trimmed, however as I can tell, this was always the case, and there doesn't seem a way to adjust the kube-audit-admin logs anyway, since there's no way to change the audit policy of the cluster.
244155-image.png

Does anyone have a similar problem as me? Did something change in the behaviour of audit logs in AKS or the Log analytics workspaces?
The only change I can find regarding the kube audit logs is from the AKS Release 2022-08-14 and I don't really understand what exactly changed here.
244185-image.png

I hope someone can point me in the right direction :) Thanks for reading

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,896 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,886 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Gessel, Thomas 36 Reputation points
    2022-09-26T07:59:36.197+00:00

    I guess there was a problem with the Log Analytics service in West Europe...
    This morning the kube audit logs are being ingested again by our log-analytics workspace.

    244646-image.png

    1 person found this answer helpful.
    0 comments No comments