diff --git a/plugins/k8saudit-eks/README.md b/plugins/k8saudit-eks/README.md index adf1d4d4..75e41b83 100644 --- a/plugins/k8saudit-eks/README.md +++ b/plugins/k8saudit-eks/README.md @@ -258,8 +258,11 @@ serviceAccount: annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/${ROLE} #if you use an OIDC provider, you can attach a role to the service account ``` + +> **Note** Note the three placeholders REGION, ACCOUNT_ID, and CLUSTER_NAME which must be replaced with fitting values. ### Warning +> **Warning** AWS Cloudwatch Logs truncates log lines with more than 10,000 characters, as these lines can't be parsed by the plugin they are ignored and some events may be missed. diff --git a/plugins/k8saudit-eks/pkg/k8sauditeks/k8sauditeks.go b/plugins/k8saudit-eks/pkg/k8sauditeks/k8sauditeks.go index 5181ac05..3d4c62d8 100644 --- a/plugins/k8saudit-eks/pkg/k8sauditeks/k8sauditeks.go +++ b/plugins/k8saudit-eks/pkg/k8sauditeks/k8sauditeks.go @@ -23,6 +23,7 @@ import ( "fmt" "log" "os" + "regexp" "strings" "time" @@ -37,6 +38,9 @@ import ( ) const pluginName = "k8saudit-eks" +const regExpAuditID = `"auditID":[ a-z0-9-"]+` + +var regExpCAuditID *regexp.Regexp type Plugin struct { k8saudit.Plugin @@ -92,6 +96,11 @@ func (k *Plugin) Init(cfg string) error { return err } + regExpCAuditID, err = regexp.Compile(regExpAuditID) + if err != nil { + return err + } + // setup optional async extraction optimization extract.SetAsync(k.Config.UseAsync) @@ -141,6 +150,12 @@ func (p *Plugin) Open(clustername string) (source.Instance, error) { case i := <-eventsC: message := *i.Message if strings.Contains(message, "[Truncated...]") { + auditID := regExpCAuditID.FindStringSubmatch(message) + if len(auditID) > 0 { + p.Logger.Printf("truncated log line, can't be parsed (%v)\n", auditID[0]) + } else { + p.Logger.Println("truncated log line, can't be parsed") + } continue } values, err := p.Plugin.ParseAuditEventsPayload([]byte(*i.Message))