cscli parsers install crowdsecurity/k8s-auditA parser for Kubernetes audit logs.
The log can be read from a file or send to crowdsec with the webhook backend (when using the k8s-audit datasource)
1onsuccess: next_stage2filter: "evt.Parsed.program == 'k8s-audit'"3name: crowdsecurity/k8s-audit4description: "Parse Kubernetes audit logs"5#Unfortunately, k8s has slightly different JSON when using a webhook or a file (first letter of the keys is capitalized when using the webhook).6#Explicitly handle the webhook datasource, and assume file-like format for everything else (it could be coming from the syslog datasource for example)7nodes:8 - filter: evt.Meta.datasource_type == "k8s-audit"9 statics:10 - parsed: k8s_parsed11 expression: UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "k8s_audit")12 - meta: user13 expression: evt.Unmarshaled.k8s_audit.User.username14 - meta: source_ip15 expression: evt.Unmarshaled.k8s_audit.SourceIPs[0]16 - meta: namespace17 expression: evt.Unmarshaled.k8s_audit.ObjectRef?.Namespace18 - meta: resource_name19 expression: evt.Unmarshaled.k8s_audit.ObjectRef?.Name20 - meta: kind21 expression: evt.Unmarshaled.k8s_audit.RequestObject?.kind22 - meta: log_type23 value: k8s-audit24 - target: evt.StrTime25 expression: evt.Unmarshaled.k8s_audit.RequestReceivedTimestamp26 - filter: evt.Meta.datasource_type != "k8s-audit"27 statics:28 - parsed: k8s_parsed29 expression: UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "k8s_audit")30 - meta: user31 expression: evt.Unmarshaled.k8s_audit.user.username32 - meta: source_ip33 expression: evt.Unmarshaled.k8s_audit.sourceIPs[0]34 - meta: namespace35 expression: evt.Unmarshaled.k8s_audit.objectRef?.namespace36 - meta: resource_name37 expression: evt.Unmarshaled.k8s_audit.objectRef?.name38 - meta: kind39 expression: evt.Unmarshaled.k8s_audit.requestObject?.kind40 - meta: log_type41 value: k8s-audit42 - target: evt.StrTime43 expression: evt.Unmarshaled.k8s_audit.requestReceivedTimestamp44