Kubernetes integration.

Bakotech

Hi here,
There are a few Kubernetes hosts in infrastructure.
What the best cases to integrate it with Energy Logserver?
Audit Log? Syslog? Agent for vulnerability monitoring? etc.

Thanks in advance.

SzymonC

Hi,
As with any complex solution we have several approaches here that we can choose from (or use all of them):

Metricbeat as an agent installed on server can be powerful source of information regarding environment performance, issues and how stable it is. If possible, it is a good idea to use it whenever we can use such data as disk, cpu, memory monitoring and much more.
Filebeat is useful for logs collection. Obviously this will be the same data as you can see on Kubernetes (for example pods logs), but having it in Energy Logserver gives you advantage to correlate it with other data that might be helpful to identify root cause of some problems.
APM monitoring launching apm server in Energy Logserver is also possibility to monitor Kubernetes. This gives great insight into parameters like Transaction duration, Requests per minute or more.
Syslog this is always great source of information. You can try to configure what types and levels of log data you want to send to Energy Logserver through syslog. As with any agentless approach, syslog also has a problem of reaching historic data during network problems. When communication with Energy Logserver is disturbed, agent can mark logs that hasn't been delivered and send them once communication is back. Syslog however rarely can go back and send historic data (in such cases we use buffers in the middle). This is something to consider when choosing between syslog vs agent approach.
SIEM agent is always great idea to have. If host is relevant to key operations or if users are interacting with it, SIEM agent can always bring huge value to the security perspective, where vulnerability scanning is only one of them.

Which tools you'll use is up to you. Energy Logserver is made for loading huge volumes of data, so there isn't really "to much" data. 😉
Great way to start is to answer question to yourself - "why do I need this data?", "will I use this data or will I just store it?", "can I loose that data?", and so on. This should help you evaluate priority and importance of this source and in result - help you choose correct tools for monitoring.