Skip to main content
ZStack
Monitoring & Collection/Logging

QueryK8sAuditLogs

Query Kubernetes API server audit logs with filtering and pagination

GET/api/v1/logging/k8s-audit

Operation ID

QueryK8sAuditLogs

Since

1.0

Execution Mode

Synchronous

Auth Context

Auth Required

Auth Context

Send these values as request headers when calling this API.

AuthorizationstringRequired

Bearer Token

X-Tenant-IDstring

X-Tenant-ID

Request Inputs

Query Parameters

  • user
    String

    Filter by Kubernetes username in audit records Filter by Kubernetes username in audit records

  • verb
    String

    Filter by HTTP verb (get, create, update, delete, patch, etc.) Filter by HTTP verb (get, create, update, delete, patch, etc.)

  • resource
    String

    Filter by Kubernetes resource type (pods, services, deployments, etc.) Filter by Kubernetes resource type (pods, services, deployments, etc.)

  • namespace
    String

    Filter by Kubernetes namespace Filter by Kubernetes namespace

  • startTime
    String

    RFC3339 start time for the audit log query window RFC3339 start time for the audit log query window

Responses

200 OK
200 OK

On success, this API returns the following response structure.

  • items
    List

    Collection of result items

    Example: (nested array)

    • auditId
      String

      Unique identifier of this audit log entry

      Example: audit-abc-001

    • level
      String

      Audit log level as defined by the Kubernetes audit policy

      Example: RequestResponse

    • timestamp
      String

      Timestamp for this resource

      Example: 2026-01-15T08:00:00Z

    • user
      Object

      The user value

      • username
        String

        Kubernetes username from the audit log record

        Example: system:admin

      • groups
        List

        Groups for this resource

        Example: item1,item2

    • sourceIps
      List

      Source ips

      Example: item1,item2

    • verb
      String

      HTTP verb of the API request (get, create, delete, patch, etc.)

      Example: delete

    • resource
      String

      Kubernetes resource type that was operated on

      Example: pods

    • namespace
      String

      Kubernetes namespace in which the resource resides

      Example: production

    • name
      String

      Name of the specific resource instance operated on

      Example: payment-pod-001

    • responseCode
      Integer

      HTTP response code returned by the API server

      Example: 200

    • userAgent
      String

      User-Agent header value from the API request

      Example: kubectl/v1.28.0

    • sensitive
      Boolean

      Whether this audit entry is flagged as a sensitive or high-risk operation

      Example: true

    • component
      String

      Control-plane component that produced this audit entry

      Example: kube-apiserver

    • id
      String

      Secondary identifier for this audit log entry

      Example: entry-0001

  • total
    Integer

    Total number of audit log entries matching the query filters

    Example: 200

Change History

This API has no change history records yet.

View all change history