openshift-docs/modules/microshift-viewing-audit-logs.adoc

// Module included in the following assemblies:
//
//microshift_troubleshooting/microshift-audit-logs.adoc

:_mod-docs-content-type: PROCEDURE
[id="microshift-security-context-constraints-alert-eval_{context}"]
= Identifying pod security violations through audit logs

You can identify pod security admission violations on a workload by viewing the server audit logs. The following procedure shows you how to access the audit logs and parse them to find pod security admission violations in a workload.

.Prerequisites

* You have installed `jq`.
* You have root access to the node.

.Procedure

. To retrieve the node name, run the following command:
+
[source,terminal]
----
$ <node_name>=$(oc get node -ojsonpath='{.items[0].metadata.name}')
----
//output example?

. To view the audit logs, run the following command:
+
[source,terminal]
----
$ oc adm node-logs <node_name> --path=kube-apiserver/ <1>
----
<1> Replace _<node_name>_ with the name of the node retrieved from the previous step.
+
.Example output
[source,terminal]
----
rhel-94.lab.local audit-2024-10-18T18-25-41.663.log
rhel-94.lab.local audit-2024-10-19T11-21-29.225.log
rhel-94.lab.local audit-2024-10-20T04-16-09.622.log
rhel-94.lab.local audit-2024-10-20T21-11-41.163.log
rhel-94.lab.local audit-2024-10-21T14-06-10.402.log
rhel-94.lab.local audit-2024-10-22T06-35-10.392.log
rhel-94.lab.local audit-2024-10-22T23-26-27.667.log
rhel-94.lab.local audit-2024-10-23T16-52-15.456.log
rhel-94.lab.local audit-2024-10-24T07-31-55.238.log
----

. To parse the affected audit logs, enter the following command:
+
[source,terminal]
----
$ oc adm node-logs <node_name> --path=kube-apiserver/audit.log \
  | jq -r 'select((.annotations["pod-security.kubernetes.io/audit-violations"] != null) and (.objectRef.resource=="pods")) | .objectRef.namespace + " " + .objectRef.name + " " + .objectRef.resource' \
  | sort | uniq -c <1>
----
<1> Replace _<node_name>_ with the name of the node retrieved from the previous step.