Since this is a recurring topic, I wanted to share a quick explanation about Falco’s Kubernetes audit log plugins. EKS is just one example, but the same principles apply to all K8s audit plugins.
-
Which plugin should I use?
All audit plugins are equivalent. They just differ in how they collect logs depending on the cloud.
On EKS, use k8saudit-eks. -
How do I check the latest version?
-
Check the GitHub releases
-
Or run:
falcoctl artifact info k8saudit-eks
-
-
Do I need to pin versions in Helm?
Yes, if you don’t want to always follow the latest. You can set refs in yourfalcoctlconfig. -
Do syscall events get enriched with audit log data?
No — syscall andk8sauditare separate data sources.
If you want syscall events enriched with Kubernetes metadata, check out the k8smetaplugin.