Skip to content

Commit

Permalink
add a log line with the auditID of the truncated line
Browse files Browse the repository at this point in the history
Signed-off-by: Thomas Labarussias <[email protected]>
  • Loading branch information
Issif authored and poiana committed Jan 16, 2024
1 parent 21cd9b9 commit 0fb4ee3
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
3 changes: 3 additions & 0 deletions plugins/k8saudit-eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -258,8 +258,11 @@ serviceAccount:
annotations:
- eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/${ROLE} #if you use an OIDC provider, you can attach a role to the service account
```

> **Note**
Note the three placeholders REGION, ACCOUNT_ID, and CLUSTER_NAME which must be replaced with fitting values.

### Warning

> **Warning**
AWS Cloudwatch Logs truncates log lines with more than 10,000 characters, as these lines can't be parsed by the plugin they are ignored and some events may be missed.
15 changes: 15 additions & 0 deletions plugins/k8saudit-eks/pkg/k8sauditeks/k8sauditeks.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"fmt"
"log"
"os"
"regexp"
"strings"
"time"

Expand All @@ -37,6 +38,9 @@ import (
)

const pluginName = "k8saudit-eks"
const regExpAuditID = `"auditID":[ a-z0-9-"]+`

var regExpCAuditID *regexp.Regexp

type Plugin struct {
k8saudit.Plugin
Expand Down Expand Up @@ -92,6 +96,11 @@ func (k *Plugin) Init(cfg string) error {
return err
}

regExpCAuditID, err = regexp.Compile(regExpAuditID)
if err != nil {
return err
}

// setup optional async extraction optimization
extract.SetAsync(k.Config.UseAsync)

Expand Down Expand Up @@ -141,6 +150,12 @@ func (p *Plugin) Open(clustername string) (source.Instance, error) {
case i := <-eventsC:
message := *i.Message
if strings.Contains(message, "[Truncated...]") {
auditID := regExpCAuditID.FindStringSubmatch(message)
if len(auditID) > 0 {
p.Logger.Printf("truncated log line, can't be parsed (%v)\n", auditID[0])
} else {
p.Logger.Println("truncated log line, can't be parsed")
}
continue
}
values, err := p.Plugin.ParseAuditEventsPayload([]byte(*i.Message))
Expand Down

0 comments on commit 0fb4ee3

Please sign in to comment.