---
title: Log Collection for Amazon EKS Audit Logs
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Integrations > Integration Guides > Log Collection for Amazon EKS Audit
  Logs
---

# Log Collection for Amazon EKS Audit Logs

## Overview{% #overview %}

Amazon EKS audit logs give cluster administrators insight into actions within an EKS cluster. Once you enable log collection for your Amazon EKS audit logs, you can setup and use [Datadog Cloud SIEM](https://docs.datadoghq.com/security/cloud_siem/) to monitor unwarranted actions or immediate threats as they occur within your EKS cluster.

## Setup{% #setup %}

### Amazon EKS audit logs{% #amazon-eks-audit-logs %}

#### New cluster{% #new-cluster %}

1. If you do not have an Amazon EKS cluster, create one by following the [Creating an Amazon EKS Cluster](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html) documentation.
1. During setup, on the Configure logging page, enable **Audit logs**.

#### Existing cluster{% #existing-cluster %}

1. If you already have an Amazon EKS cluster configured, navigate to your cluster in the [Amazon EKS console](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html).
1. Click on your EKS cluster.
1. Click the **Logging** tab.
1. Click the **Manage logging** button.
1. Toggle the **Audit** option to **Enabled** and click the **Save changes** button.

### Datadog AWS integration{% #datadog-aws-integration %}

Next, set up the AWS integration. Follow the [AWS integration setup](https://docs.datadoghq.com/integrations/amazon_web_services/?tab=roledelegation#setup) documentation.

### Datadog Forwarder{% #datadog-forwarder %}

Once your AWS integration set up is complete, install and configure the Datadog Forwarder. Follow the [Datadog Forwarder installation](https://docs.datadoghq.com/logs/guide/forwarder/) documentation.

**Note**: The Lambda ARN is required for the [Setup triggers](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/?tab=awsconsole#set-up-triggers) step. Your Lambda ARN is available by navigating to [Lambda > Functions > `Your_Function_Name`](https://console.aws.amazon.com/lambda/home#/functions) in the AWS console. The Function ARN is listed in the Function overview.

## Log Explorer{% #log-explorer %}

Once setup of Amazon EKS audit logs, the Datadog AWS integration, and Datadog Forwarder are complete, your EKS audit logs are available in the [Datadog Log Explorer](https://app.datadoghq.com/logs).

**Note**: Logs may take a few seconds to begin streaming into Log Explorer.

To view only EKS audit logs in the Log Explorer, query `source:kubernetes.audit` in Log Explorer search or, under **Source** in the facets panel, select the `kubernetes.audit` facet to filter by EKS audit logs.

## Cloud SIEM{% #cloud-siem %}

You can use Datadog Cloud SIEM to detect potential misconfigurations or targeted attacks to your EKS clusters.

To start monitoring your Amazon EKS audit logs with Cloud SIEM, setup Cloud SIEM and create a custom [log detection rule](https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/custom_detection_rules/) that generates a [Security Signal](https://docs.datadoghq.com/getting_started/cloud_siem/#phase-2-signal-exploration) in the [Security Signals Explorer](https://app.datadoghq.com/security) whenever a misconfiguration or threat is detected.

### Setup{% #setup-1 %}

Setup and configure Cloud SIEM. See the in-app [Cloud SIEM setup and configuration instructions](https://docs.datadoghq.com/security/cloud_siem/).

Once Cloud SIEM is set up and configured, you can either create a new Cloud SIEM rule from scratch or export a query in Log Explorer to a new rule.

### Review Security Monitoring Rules{% #review-security-monitoring-rules %}

See out-of-the-box [Cloud SIEM detection rules](https://docs.datadoghq.com/security/default_rules/#cat-cloud-siem) that are detecting threats in your environment. For more information on searching, editing, and cloning these rules, see [creating and managing detection rules](https://docs.datadoghq.com/security/detection_rules/#creating-and-managing-detection-rules).

### Create a new Cloud SIEM rule{% #create-a-new-cloud-siem-rule %}

To create a rule, navigate to the in-app [Rule Setup and Configuration](https://app.datadoghq.com/security/configuration/rules/new?product=siem) page. To complete your setup, see the [Log Detection Rules documentation](https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#choose-a-detection-method).

### Export a query to a rule in Log Explorer{% #export-a-query-to-a-rule-in-log-explorer %}

1. In the Log Explorer, create a query in the search bar. For example, filter by `source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]`.
1. Click the **Export** button and select **Export to detection rule**.
1. This feature exports your query and defines it in the second step of the Log Detection rule setup. Select a detection method. In this instance, select **New Value**. Select the `@usr.name` attribute in the Detect new value dropdown menu. This alerts you for the first time when a user execs into a pod. After the first alert, Datadog won't alert on the same user again. Alternatively, to detect when these events exceed a user-defined threshold, use **threshold rule** for the detection method.
1. Follow the [Log Detection Rules documentation](https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#choose-a-detection-method) to learn how to complete the rest of your rule configuration.