diff --git a/charts/fluent-bit.yaml b/charts/fluent-bit.yaml index f1886982db..ae332b3afc 100644 --- a/charts/fluent-bit.yaml +++ b/charts/fluent-bit.yaml @@ -38,6 +38,17 @@ daemonSetVolumes: - name: runlog hostPath: path: /run/log +- name: syslog-cert + secret: + secretName: syslog-cert + optional: true + items: + - key: ca.crt + path: ca.crt + - key: client.crt + path: client.crt + - key: client.key + path: client.key daemonSetVolumeMounts: - name: run @@ -48,6 +59,8 @@ daemonSetVolumeMounts: - name: runlog mountPath: /run/log readOnly: true +- name: syslog-cert + mountPath: /fluent-bit/etc/tls/ serviceMonitor: enabled: true diff --git a/salt/_pillar/metalk8s.py b/salt/_pillar/metalk8s.py index 1ccd54f8b5..7d89209599 100644 --- a/salt/_pillar/metalk8s.py +++ b/salt/_pillar/metalk8s.py @@ -168,6 +168,12 @@ def _load_addons(config_data): addons_data.setdefault("dex", {}).setdefault("enabled", True) addons_data.setdefault("loki", {}).setdefault("enabled", True) addons_data.setdefault("fluent-bit", {}).setdefault("enabled", True) + addons_data.setdefault("fluent-bit", {}).setdefault("siem", {}).setdefault( + "enabled", False + ) + addons_data.setdefault("fluent-bit", {}).setdefault("siem", {}).setdefault( + "host", "" + ) return addons_data diff --git a/salt/metalk8s/addons/logging/fluent-bit/config/fluent-bit.yaml.j2 b/salt/metalk8s/addons/logging/fluent-bit/config/fluent-bit.yaml.j2 index b54ff65ebe..58c5936be8 100644 --- a/salt/metalk8s/addons/logging/fluent-bit/config/fluent-bit.yaml.j2 +++ b/salt/metalk8s/addons/logging/fluent-bit/config/fluent-bit.yaml.j2 @@ -12,8 +12,9 @@ spec: limits: memory: 1Gi config: - {%- if pillar.addons.loki.enabled %} + {%- if pillar.addons.loki.enabled or pillar.addons.fluent-bit.siem.enabled %} output: + {%- if pillar.addons.loki.enabled %} - Name: loki Match: kube.* Host: loki @@ -45,6 +46,21 @@ spec: Line_Format: json Log_Level: warn Workers: 4 + {%- else %} + - Name: syslog + Match: audit.* + host: {{ pillar.addons.fluent-bit.siem.host }} + port: 6514 + mode: tcp + format: rfc5424 + tls: on + tls.verify: on + tls.ca_file: /fluent-bit/etc/tls/ca.crt + tls.crt_file: /fluent-bit/etc/tls/client.crt + tls.key_file: /fluent-bit/etc/tls/client.key + workers: 2 + log_level: warn + {%- endif %} {%- else %} output: [] {%- endif %} diff --git a/salt/metalk8s/addons/logging/fluent-bit/deployed/chart.sls b/salt/metalk8s/addons/logging/fluent-bit/deployed/chart.sls index 584717ec03..a59413a3ca 100644 --- a/salt/metalk8s/addons/logging/fluent-bit/deployed/chart.sls +++ b/salt/metalk8s/addons/logging/fluent-bit/deployed/chart.sls @@ -1735,6 +1735,8 @@ spec: - mountPath: /run/log name: runlog readOnly: true + - mountPath: /fluent-bit/etc/tls/ + name: syslog-cert dnsPolicy: ClusterFirst hostNetwork: false serviceAccountName: fluent-bit @@ -1764,6 +1766,17 @@ spec: - hostPath: path: /run/log name: runlog + - name: syslog-cert + secret: + items: + - key: ca.crt + path: ca.crt + - key: client.crt + path: client.crt + - key: client.key + path: client.key + optional: true + secretName: syslog-cert --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor diff --git a/salt/metalk8s/addons/logging/fluent-bit/deployed/configmap.sls b/salt/metalk8s/addons/logging/fluent-bit/deployed/configmap.sls index 878c244b37..1f4233a2fc 100644 --- a/salt/metalk8s/addons/logging/fluent-bit/deployed/configmap.sls +++ b/salt/metalk8s/addons/logging/fluent-bit/deployed/configmap.sls @@ -125,6 +125,13 @@ Create fluent-bit ConfigMap: Add namespace unknown Add pod unknown Add stream unknown + [FILTER] + Name parser + match audit.* + key_name log + parser extract_audit_log_timestamp + preserve_key On + reserve_data On {%- for output in fluent_bit.spec.config.output %} [Output] {%- for key, value in output.items() %} @@ -139,3 +146,9 @@ Create fluent-bit ConfigMap: Time_Key time Time_Format %Y-%m-%dT%H:%M:%S.%L%z Time_Keep Off + [PARSER] + Name extract_audit_log_timestamp + Format regex + Regex ^type=\w+\s+msg=audit\((?\d+\.\d+):\d+\):\s*.*$ + Time_Key timestamp + Time_Format %s.%L