Skip to main content
RuiChang
Staff
RuiChang
Staff
March 5, 2025

Technical Tip: Kubernetes log forwarding to FortiSIEM

  • March 5, 2025
  • 0 replies
  • 1125 views
Description

 

This article provides a method to monitor Kubernetes logs via log forwarding to FortiSIEM.

 

Scope

 

FortiSIEM.

 

Solution

 

Kubernetes technology is not supported by FortiSIEM at the moment to pull the logs manually. However, if the Kubernetes cluster is deployed as Linux or Windows Operating systems, FortiSIEM agents can be implemented to pull the logs:

 

Windows Agent Installation:

FortiSIEM Windows Agent

 

Linux Agent Installation:

FortiSIEM Linux Agent

 

Note:

FortiSIEM Agent is only able to pull the Windows or Linux Agent from the system. The logs from the containers will not be forwarded/pulled.

 

If users need to forward the logs of a container deployed in the Kubernetes cluster, users need to configure it manually. In this example, the Linux Kubernetes configuration is completed as below:

 

  1. Configure Kubernetes logging system: Logging Architecture.

 

Examples of YAML configuration:

 

apiVersion: v1 kind: Pod metadata:   creationTimestamp: null   labels:     run: Kubernetes-FSM-test   name: Kubernetes-FSM-test spec:   containers:   - image: busybox:1.31.1     name: FSM-container     command:     - "sh"     - "-c"     - "tail -f /data/date.log"     volumeMounts:     - mountPath: /data       name: FSM-log   volumes:   - name: FSM-log     emptyDir: {}   dnsPolicy: ClusterFirst   restartPolicy: Always status: {}

 

To apply the above configuration and run as a pod, use below command:

 

kubectl apply -f PATH_OF_YAML

 

  1. Configure/etc/rsyslog.conf as below:

 

# Log path # Replace <pods name> & <container name> with actual path in /var/log/pods $InputFileName /var/log/pods/<pods name>/<container name>/*.log $InputFileTag <Tag> $InputFileStateFile <Tag>  # Replace the <Level> with desired level, reference: https://wiki.gentoo.org/wiki/Rsyslog#Severity $InputFileSeverity <Level>  # Replace the <Linux facility> with desired integer, reference: https://wiki.gentoo.org/wiki/Rsyslog#Facility $InputFileFacility <Linux facility> $InputRunFileMonitor  # Syslog destination # Replace <FSM IP> with FortiSIEM IP/FQDN *.* @<FSM IP>:514

 

  1. Restart the rsyslog service on the Linux server:

 

systemctl restart rsyslog.service

 

FortiSIEM should receive the logs in Analytics:

 

RuiChang_0-1741145846739.png

 

Note:

Kubernetes logs are not fully supported yet, as the container may contain products that are not supported by FortiSIEM.

If Unknown_EventType is received in the FortiSIEM, users need to configure a custom parser based on users environment.

Creating a Custom Parser

 

Related documents:

Logging Architecture

Creating a Custom Parser

      Terms & ConditionsAccessibility statement