Parsing Kubernetes Event and Audit Logs
Parse Kubernetes event logs and audit log entries in JSON format to extract event types, reasons, involved objects, and messages.
Detailed Explanation
Kubernetes Events and Audit Logs
Beyond pod logs, Kubernetes generates event records and audit logs that are essential for cluster operations debugging.
Kubernetes Events
Events are JSON objects emitted when something notable happens in the cluster. You can view them with kubectl get events or as JSON:
{"timestamp":"2024-01-15T10:30:00Z","level":"warn","logger":"kube-scheduler","message":"Failed to schedule pod: insufficient memory","reason":"FailedScheduling","involvedObject":"default/my-pod","namespace":"default","count":3}
Common Event Reasons
| Reason | Severity | Meaning |
|---|---|---|
Scheduled |
INFO | Pod assigned to a node |
Pulling |
INFO | Container image being pulled |
Started |
INFO | Container started successfully |
FailedScheduling |
WARN | Scheduler could not place pod |
BackOff |
WARN | Container restart backoff |
Unhealthy |
WARN | Health check failed |
FailedCreate |
ERROR | Could not create pod |
OOMKilled |
ERROR | Out of memory kill |
Audit Logs
Kubernetes audit logs record API server requests in JSON format:
{"timestamp":"2024-01-15T10:30:00Z","level":"info","logger":"kube-apiserver","message":"Request received","verb":"create","resource":"pods","namespace":"production","user":"system:serviceaccount:ci:deployer","responseCode":201}
Parsing with the Log Format Parser
Since both event and audit logs use JSON format, the parser handles them through the JSON structured log parser. Key fields like reason, involvedObject, verb, and resource appear in the extra fields section, while standard fields map to the timestamp, severity, source, and message columns.
Use Case
Investigating pod scheduling failures and OOMKilled events, auditing cluster API access patterns, monitoring deployment rollout progress through events, identifying recurring warning events that indicate configuration issues, and tracking RBAC-related audit events.