Skip to main content
API Explorer|API Explorer
Monitoring & Collection/Logging
GETLoggingSince 1.0SynchronousAuth Required

QueryK8sAuditLogs

Query Kubernetes API server audit logs with filtering and pagination

Execution Availability

Try It Out

Submit a mock request using the current auth context and example-driven inputs.

Query Parameters

Request Inputs

Query Parameters

  • userString

    Filter by Kubernetes username in audit records Filter by Kubernetes username in audit records

  • verbString

    Filter by HTTP verb (get, create, update, delete, patch, etc.) Filter by HTTP verb (get, create, update, delete, patch, etc.)

  • resourceString

    Filter by Kubernetes resource type (pods, services, deployments, etc.) Filter by Kubernetes resource type (pods, services, deployments, etc.)

  • namespaceString

    Filter by Kubernetes namespace Filter by Kubernetes namespace

  • startTimeString

    RFC3339 start time for the audit log query window RFC3339 start time for the audit log query window

Responses

200 OK

On success, this API returns the following response structure.

  • itemsList

    Collection of result items

    Example: (nested array)

    • auditIdString

      Unique identifier of this audit log entry

      Example: audit-abc-001

    • levelString

      Audit log level as defined by the Kubernetes audit policy

      Example: RequestResponse

    • timestampString

      Timestamp for this resource

      Example: 2026-01-15T08:00:00Z

    • userObject

      The user value

      • usernameString

        Kubernetes username from the audit log record

        Example: system:admin

      • groupsList

        Groups for this resource

        Example: item1,item2

    • sourceIpsList

      Source ips

      Example: item1,item2

    • verbString

      HTTP verb of the API request (get, create, delete, patch, etc.)

      Example: delete

    • resourceString

      Kubernetes resource type that was operated on

      Example: pods

    • namespaceString

      Kubernetes namespace in which the resource resides

      Example: production

    • nameString

      Name of the specific resource instance operated on

      Example: payment-pod-001

    • responseCodeInteger

      HTTP response code returned by the API server

      Example: 200

    • userAgentString

      User-Agent header value from the API request

      Example: kubectl/v1.28.0

    • sensitiveBoolean

      Whether this audit entry is flagged as a sensitive or high-risk operation

      Example: true

    • componentString

      Control-plane component that produced this audit entry

      Example: kube-apiserver

    • idString

      Secondary identifier for this audit log entry

      Example: entry-0001

  • totalInteger

    Total number of audit log entries matching the query filters

    Example: 200

Endpoint

GET/api/v1/logging/k8s-audit

/api/v1/logging/k8s-audit

Operation ID

QueryK8sAuditLogs

Permalink

Request Example

curl -X GET '{host}/api/v1/logging/k8s-audit' -H 'Authorization: Bearer {token}'

Response Example

200
{
  "items": [
    {}
  ],
  "total": 200
}

Change History

This API has no change history records yet.

View all change history