How to Monitor Kubernetes Using Wazuh

Kubernetes has become the de facto standard for deploying and managing containerized applications at scale.

While Kubernetes simplifies application orchestration, it also introduces new operational and security challenges that can be difficult to monitor using traditional tools.

Clusters often consist of dozens or even hundreds of nodes, containers, and services that generate massive amounts of logs, events, and security telemetry.

Effective Kubernetes monitoring helps organizations maintain cluster health, identify performance bottlenecks, detect security threats, and ensure application availability.

Without proper visibility, issues such as compromised containers, unauthorized API activity, resource exhaustion, and misconfigured workloads can remain undetected until they cause significant downtime or security incidents.

One of the biggest challenges security teams face is consolidating Kubernetes security monitoring, log analysis, vulnerability management, and compliance reporting into a single platform.

This is where Wazuh becomes especially valuable.

What is Wazuh

Wazuh is a free, open-source Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) platform that provides centralized visibility across cloud, on-premises, and containerized environments.

By integrating Kubernetes with Wazuh, organizations can monitor cluster activity, analyze audit logs, detect threats, track vulnerabilities, and enforce security policies from a unified dashboard.

According to the Cloud Native Computing Foundation Annual Survey, Kubernetes adoption continues to grow rapidly across enterprises, making robust monitoring and security practices increasingly important for production environments.

Organizations running Kubernetes at scale require both operational and security visibility to effectively protect workloads and maintain reliability.

Combining Kubernetes and Wazuh offers several advantages:

Centralized security monitoring across clusters
Real-time threat detection and alerting
Kubernetes audit log analysis
Vulnerability assessment of nodes and workloads
Compliance monitoring and reporting
File Integrity Monitoring (FIM) capabilities
Open-source deployment with no licensing costs

In this guide, you’ll learn how Kubernetes monitoring works, how Wazuh enhances Kubernetes visibility and security, how to configure the integration, and the best practices for monitoring containerized environments effectively.

Understanding Kubernetes Monitoring

What Is Kubernetes Monitoring?

Kubernetes monitoring is the process of collecting, analyzing, and visualizing metrics, logs, events, and security data from Kubernetes clusters.

The goal is to provide complete visibility into cluster health, workload performance, resource utilization, and security posture.

A comprehensive Kubernetes monitoring strategy typically includes several layers.

Cluster Health Monitoring

Cluster health monitoring focuses on the overall status of the Kubernetes control plane and supporting infrastructure.

Common metrics include:

API server availability
Scheduler performance
Controller manager health
Cluster-wide resource utilization
etcd performance and availability

Monitoring these components helps administrators detect issues that could impact the entire cluster.

Node Monitoring

Nodes are the physical or virtual machines that run Kubernetes workloads.

Important node-level metrics include:

CPU utilization
Memory consumption
Disk usage
Network throughput
Operating system events
Security events

Node monitoring helps identify infrastructure problems before they affect running applications.

Pod and Container Monitoring

Pods and containers are where applications actually run.

Monitoring at this level typically includes:

Container resource usage
Pod restarts
Application logs
Container lifecycle events
Crash loops
Application response times

These insights help DevOps and platform teams quickly diagnose application issues.

Security Monitoring and Compliance

Security monitoring focuses on identifying suspicious activity and validating compliance requirements.

Examples include:

Unauthorized API access attempts
Privilege escalation events
Container runtime anomalies
Configuration drift
Policy violations
Compliance audit failures

Security monitoring is often overlooked until an incident occurs, making proactive visibility essential.

Why Kubernetes Monitoring Is Important

Detecting Security Threats

Containers and Kubernetes environments create new attack surfaces that adversaries actively target.

Monitoring enables teams to detect:

Unauthorized access attempts
Suspicious API activity
Malicious containers
Lateral movement
Persistence mechanisms

According to guidance from National Institute of Standards and Technology, continuous monitoring is a critical component of maintaining secure containerized environments.

Identifying Performance Bottlenecks

Resource contention can quickly impact application performance.

Monitoring helps identify:

CPU saturation
Memory exhaustion
Network congestion
Storage bottlenecks
Misconfigured workloads

Early detection minimizes service disruptions and improves user experience.

Ensuring Application Availability

Modern applications often consist of dozens of microservices.

Monitoring provides visibility into:

Service health
Pod availability
Deployment failures
Failed scaling events
Infrastructure outages

This enables faster incident response and reduced downtime.

Meeting Compliance Requirements

Many organizations must comply with frameworks such as:

PCI DSS
HIPAA
SOC 2
ISO 27001
NIST security controls

Monitoring and audit logging help generate the evidence required during security audits.

Common Kubernetes Security Risks

While Kubernetes offers powerful security features, misconfigurations remain common.

Misconfigured Workloads

Improper security settings can expose workloads to unnecessary risk.

Examples include:

Excessive permissions
Unrestricted network access
Insecure secrets management
Missing security contexts

Privileged Containers

Privileged containers gain elevated access to host resources.

Attackers who compromise these containers may be able to:

Access host systems
Escape container boundaries
Manipulate workloads

Container Escapes

Container escape attacks occur when attackers break isolation and gain access to the host operating system.

Although relatively rare, successful escapes can lead to complete node compromise.

Unauthorized API Access

The Kubernetes API server is one of the most valuable targets in a cluster.

Poor authentication or authorization controls may allow attackers to:

Create malicious workloads
Access secrets
Modify cluster configurations
Establish persistence

Vulnerable Container Images

Container images frequently contain:

Outdated packages
Known vulnerabilities
Misconfigured software
Embedded secrets

Continuous vulnerability monitoring is essential for reducing risk.

Insider Threats

Not all threats originate externally.

Administrators, developers, and contractors with excessive permissions can accidentally or intentionally introduce security risks.

Monitoring user activity and audit logs helps identify suspicious behavior before significant damage occurs.

Additional Resources:

How to Monitor AWS CloudTrail Logs Using Wazuh

Wazuh Vulnerability Detection Not Working? Here’s How to Fix It

What Is Wazuh and How Does It Help Kubernetes Monitoring?

Overview of Wazuh

Wazuh is an open-source security platform that combines SIEM, XDR, vulnerability detection, log analysis, compliance monitoring, and endpoint security capabilities into a single solution.

Organizations use Wazuh to monitor:

Servers
Endpoints
Cloud services
Containers
Kubernetes environments
Hybrid infrastructure

Its modular architecture allows teams to centralize security monitoring while maintaining flexibility and scalability.

SIEM Capabilities

Wazuh functions as a Security Information and Event Management (SIEM) platform by collecting and analyzing logs from multiple sources.

For Kubernetes environments, this includes:

Audit logs
Node logs
Application logs
Container runtime events
Authentication events

The platform correlates events and generates actionable security alerts.

XDR Functionality

Wazuh also provides Extended Detection and Response (XDR) capabilities.

This enables organizations to:

Detect threats across multiple environments
Correlate security events
Investigate incidents faster
Improve threat visibility

Rather than analyzing Kubernetes in isolation, Wazuh helps security teams understand how cluster activity relates to the broader infrastructure.

Log Analysis

Log analysis is one of Wazuh’s core strengths.

The platform can process:

Kubernetes audit logs
kubelet logs
Container logs
System logs
Cloud provider logs

Built-in decoders and rules help identify suspicious behavior automatically.

Threat Detection

Wazuh continuously evaluates incoming telemetry against security rules.

Examples include:

Failed authentication attempts
Privilege escalation
Unauthorized configuration changes
Suspicious process execution
Malware indicators

This allows security teams to respond quickly to emerging threats.

File Integrity Monitoring (FIM)

Wazuh includes powerful File Integrity Monitoring capabilities that detect unauthorized changes to critical files.

Within Kubernetes environments, FIM can help monitor:

Configuration files
Security policies
Application binaries
Container host systems

Unexpected modifications can trigger immediate alerts.

See our How to Configure File Integrity Monitoring (FIM) in Wazuh guide.

Vulnerability Detection

Wazuh continuously analyzes software inventories and compares them against vulnerability databases.

Benefits include:

Identifying outdated software
Tracking CVEs
Prioritizing remediation efforts
Improving compliance reporting

This is particularly valuable for Kubernetes nodes and container workloads where vulnerabilities can spread rapidly across environments.

Key Kubernetes Monitoring Features in Wazuh

Wazuh provides multiple capabilities specifically suited for monitoring Kubernetes environments.

Kubernetes Audit Log Monitoring

Kubernetes audit logs provide detailed visibility into cluster activity.

Wazuh can monitor:

API requests
Authentication events
Authorization decisions
Resource modifications
Administrative actions

Audit log analysis helps security teams identify suspicious behavior and investigate incidents.

Container Security Monitoring

Containerized workloads generate unique security events that traditional monitoring tools often miss.

Wazuh can monitor:

Container lifecycle events
Runtime activity
Security policy violations
Image-related security findings

This provides greater visibility into containerized applications.

Runtime Threat Detection

Runtime monitoring allows Wazuh to detect threats while workloads are actively running.

Examples include:

Unauthorized process execution
Suspicious command activity
Privilege escalation attempts
Reverse shells
Container breakout indicators

These detections help reduce attacker dwell time.

Vulnerability Assessment

Wazuh’s vulnerability detection engine continuously evaluates software running within monitored environments.

Security teams can identify:

Critical CVEs
High-risk packages
Outdated software
Remediation priorities

This supports proactive risk reduction efforts.

Compliance Monitoring

Wazuh includes compliance mappings for multiple frameworks.

For Kubernetes environments, this helps organizations monitor requirements related to:

PCI DSS
HIPAA
NIST
CIS Benchmarks
GDPR

Compliance reporting becomes significantly easier when security data is centralized.

Centralized Security Visibility

One of Wazuh’s biggest advantages is consolidation.

Rather than using separate tools for:

Vulnerability management
Log analysis
Threat detection
Compliance monitoring

Teams can manage everything from a single interface.

This simplifies operations and reduces tool sprawl.

Wazuh Architecture for Kubernetes Environments

Understanding the architecture helps explain how Kubernetes telemetry flows through the platform.

Wazuh Manager

The Wazuh Manager serves as the central analysis engine.

Responsibilities include:

Event processing
Rule evaluation
Alert generation
Agent management

Wazuh Indexer

The Wazuh Indexer stores and indexes collected security data.

It enables:

Fast searches
Historical analysis
Dashboard visualizations
Threat hunting activities

Wazuh Dashboard

The Wazuh Dashboard provides a graphical interface for:

Viewing alerts
Investigating incidents
Monitoring vulnerabilities
Generating reports

Security teams use the dashboard for day-to-day operations.

Wazuh Agents

Wazuh Agents collect telemetry from monitored systems.

In Kubernetes environments, agents may run on:

Worker nodes
Control plane nodes
Supporting infrastructure

They gather logs, security events, and inventory information.

Kubernetes Integration Components

Kubernetes integrations typically involve:

Audit log collection
Log forwarding mechanisms
API integrations
Container runtime telemetry

Together, these components provide end-to-end visibility into Kubernetes security and operational events.

Additional Resources:

Prerequisites Before Monitoring Kubernetes with Wazuh

Before integrating Kubernetes with Wazuh, it’s important to verify that your infrastructure, permissions, and Wazuh deployment are properly configured.

Establishing the correct foundation helps avoid data collection issues, missing logs, and incomplete security visibility later in the deployment process.

Infrastructure Requirements

Kubernetes Cluster Requirements

Wazuh can monitor both self-managed and managed Kubernetes environments.

Your cluster should be running a supported Kubernetes version and have audit logging enabled if you plan to monitor API activity.

At a minimum, you should have:

A functioning Kubernetes cluster
Administrative access to cluster resources
Access to Kubernetes audit logs
Connectivity between Kubernetes nodes and the Wazuh Manager

Monitoring becomes significantly more effective when cluster logging and security controls are configured from the start.

Supported Kubernetes Distributions

Wazuh can be integrated with most major Kubernetes platforms, including:

Kubernetes upstream distributions
Amazon EKS
Azure AKS
Google GKE
Red Hat OpenShift
Rancher-managed clusters
VMware Tanzu Kubernetes environments

The underlying monitoring principles remain largely the same regardless of distribution.

Network Requirements

The Wazuh Manager must be able to communicate with monitored systems and receive security telemetry.

Verify:

DNS resolution is functioning properly
Firewalls allow required traffic
Kubernetes nodes can reach the Wazuh Manager
Log forwarding paths are accessible

Network restrictions are one of the most common causes of monitoring failures.

Resource Recommendations

Monitoring Kubernetes generates substantial log and event data.

Resource requirements vary based on:

Cluster size
Number of nodes
Number of containers
Log volume
Retention requirements

As a general guideline:

Component	Small Environment	Medium Environment	Large Environment
Wazuh Manager	4 vCPU / 8 GB RAM	8 vCPU / 16 GB RAM	16+ vCPU / 32+ GB RAM
Wazuh Indexer	4 vCPU / 8 GB RAM	8 vCPU / 16 GB RAM	16+ vCPU / 32+ GB RAM
Dashboard	2 vCPU / 4 GB RAM	4 vCPU / 8 GB RAM	8+ vCPU / 16+ GB RAM

Organizations should benchmark performance and scale accordingly.

Wazuh Requirements

Required Wazuh Version

For Kubernetes monitoring, it’s recommended to use the latest supported version of Wazuh.

Newer releases typically provide:

Improved Kubernetes integrations
Updated vulnerability feeds
Better detection rules
Enhanced dashboard capabilities

Always review release notes before upgrading production environments.

Manager Configuration Requirements

Your Wazuh Manager should have:

Active agent management
Log analysis enabled
Vulnerability detection configured
Sufficient storage capacity
Proper indexing configuration

These components work together to process Kubernetes telemetry efficiently.

Dashboard Access Requirements

Administrators should have access to the Wazuh Dashboard for:

Viewing alerts
Investigating incidents
Monitoring vulnerabilities
Building dashboards
Generating reports

Without dashboard access, validating integrations becomes much more difficult.

Access and Permissions

Kubernetes Administrative Access

You’ll need sufficient privileges to:

View cluster resources
Configure audit logging
Create service accounts
Manage RBAC permissions
Verify monitoring components

Cluster administrator privileges simplify initial deployment.

Service Accounts

Using dedicated service accounts is considered a best practice.

Benefits include:

Improved auditing
Principle of least privilege
Easier permission management
Reduced security risk

Avoid using overly privileged accounts whenever possible.

RBAC Permissions

Role-Based Access Control (RBAC) determines which resources can be accessed.

Monitoring-related permissions may include:

Reading pod information
Reading namespace information
Accessing audit logs
Viewing deployment resources
Querying cluster events

Always grant only the permissions required for monitoring.

API Access Requirements

Many Kubernetes monitoring functions rely on API access.

Verify that:

The API server is reachable
Authentication is functioning
Certificates are valid
Service accounts can access required resources

API connectivity issues can prevent Wazuh from collecting important telemetry.

Kubernetes Monitoring Architecture with Wazuh

Understanding how Wazuh collects and processes Kubernetes telemetry helps administrators troubleshoot integrations and design scalable monitoring environments.

How Wazuh Collects Kubernetes Data

Wazuh gathers information from several Kubernetes components to provide comprehensive visibility into cluster activity.

Kubernetes API Integration

The Kubernetes API server acts as the central management interface for the cluster.

Wazuh can leverage API-generated information to monitor:

Resource creation
Configuration changes
User activity
Administrative actions
Cluster events

API monitoring provides valuable context during investigations.

Audit Log Collection

Audit logs record requests made to the Kubernetes API.

These logs capture:

Who performed an action
What action occurred
Which resource was affected
When the activity happened
Whether the action succeeded

Audit logs are often the most valuable security data source in Kubernetes environments.

Node-Level Monitoring

Wazuh agents deployed on Kubernetes nodes can collect:

Operating system logs
Security events
File integrity data
Software inventory information
Vulnerability information

This visibility helps identify threats that occur outside the Kubernetes control plane.

Container Log Monitoring

Containers continuously generate operational and security data.

Wazuh can monitor:

Application logs
Runtime events
Error messages
Authentication activity
Security-related events

These logs help identify malicious activity occurring within workloads.

Monitoring Data Flow

The Kubernetes monitoring workflow typically follows a straightforward sequence.

Kubernetes Cluster Generates Events

Activity occurs throughout the cluster, including:

Pod deployments
API requests
User authentication
Configuration updates
Container execution

These actions generate logs and telemetry.

Wazuh Agents Collect Telemetry

Agents gather:

Node-level logs
Security events
Inventory information
File integrity events
Audit logs

The data is then forwarded to the Wazuh Manager.

Events Are Analyzed by Wazuh Manager

The Wazuh Manager performs:

Rule matching
Threat detection
Event correlation
Vulnerability analysis
Compliance checks

This transforms raw telemetry into actionable intelligence.

Security Alerts Are Generated

When suspicious activity is detected, Wazuh generates alerts based on predefined or custom rules.

Examples include:

Unauthorized API access
Privilege escalation
Suspicious container execution
Policy violations
Vulnerability findings

Data Is Visualized in Dashboards

Processed data is indexed and displayed through dashboards for:

Security operations
Compliance reporting
Incident response
Threat hunting
Operational monitoring

Components Being Monitored

A complete Kubernetes monitoring deployment should cover every major component of the cluster.

Nodes

Monitor:

Resource usage
System logs
Security events
Vulnerabilities

Pods

Monitor:

Creation events
Deletion events
Restart activity
Runtime behavior

Namespaces

Monitor:

Resource isolation
Configuration changes
Access control activity

Deployments

Monitor:

Rollouts
Scaling activity
Configuration modifications

Services

Monitor:

Network exposure
Service changes
Connectivity issues

Containers

Monitor:

Runtime activity
Security events
Process execution
File modifications

Kubernetes API Server

Monitor:

Authentication requests
Authorization failures
Administrative actions
Resource modifications

The API server often provides the most complete view of cluster activity.

Step-by-Step: Configure Wazuh for Kubernetes Monitoring

Step 1: Verify Your Kubernetes Environment

Before deploying monitoring components, validate that the cluster is healthy and accessible.

Check Cluster Health

Verify node status:

kubectl get nodes

Example output:

NAME            STATUS   ROLES           AGE
master-node     Ready    control-plane   45d
worker-node-1   Ready    <none>          45d
worker-node-2   Ready    <none>          45d

Next, verify running workloads:

kubectl get pods --all-namespaces

Look for:

Failed pods
CrashLoopBackOff errors
Pending workloads
Network issues

Address major cluster problems before proceeding.

Confirm Required Permissions

Verify RBAC Access

Check that your account can access cluster resources:

kubectl auth can-i get pods --all-namespaces

Expected output:

yes

Validate API Connectivity

Confirm communication with the API server:

kubectl cluster-info

A healthy response indicates that management components are reachable.

Step 2: Deploy Wazuh Agents

Agent Deployment Options

Several deployment strategies are available depending on your architecture.

Agent on Kubernetes Nodes

The most common approach is installing Wazuh agents directly on worker nodes.

Benefits include:

Node visibility
Vulnerability detection
File integrity monitoring
Security event collection

Agent in Virtual Machines

If Kubernetes runs on virtual machines, Wazuh agents can monitor the underlying hosts.

Hybrid Deployments

Many organizations combine:

Node monitoring
Cloud monitoring
Traditional server monitoring

This creates complete infrastructure visibility.

Agent Installation Process

Download Agent

Example Linux installation:

curl -sO https://packages.wazuh.com/4.x/wazuh-agent.deb

Register with Wazuh Manager

Configure the manager address:

sudo /var/ossec/bin/agent-auth -m WAZUH_MANAGER_IP

Verify Connectivity

Start the agent:

sudo systemctl start wazuh-agent

Confirm status:

sudo systemctl status wazuh-agent

Confirm Agent Registration

List registered agents:

agent_control -l

Example:

ID: 001, Name: worker-node-1
ID: 002, Name: worker-node-2

Step 3: Enable Kubernetes Audit Logging

Why Audit Logs Matter

Audit logs provide a complete record of Kubernetes API activity.

Track User Activity

Audit logs reveal:

Who performed an action
What was changed
When the change occurred

Detect Suspicious Actions

Examples include:

Unauthorized access attempts
Privilege escalation
Resource manipulation

Investigate Incidents

Audit records often become the primary source of evidence during incident response.

Configure Kubernetes Audit Policies

A basic audit policy begins with:

apiVersion: audit.k8s.io/v1
kind: Policy

A complete policy can define:

Logged resources
Logging levels
Exclusions
Retention requirements

Tailor policies according to your security objectives.

Verify Audit Logging

After configuration:

Generate Test Events

Create a test pod:

kubectl run test-pod --image=nginx

Confirm Log Creation

Review the audit log location:

tail -f /var/log/kubernetes/audit.log

You should observe API activity being recorded.

Step 4: Configure Wazuh to Monitor Audit Logs

Add Audit Log Monitoring Rules

Wazuh monitors audit logs using localfile entries.

Configure localfile Entries

Example:

<localfile>
  <log_format>json</log_format>
  <location>/var/log/kubernetes/audit.log</location>
</localfile>

Define Log Paths

Verify the correct path for your Kubernetes distribution.

Common locations include:

/var/log/kubernetes/audit.log

/var/log/audit/audit.log

Set Parsing Options

JSON parsing improves event visibility and rule matching.

Restart Wazuh Services

Apply configuration changes:

sudo systemctl restart wazuh-agent

Verify successful startup:

sudo systemctl status wazuh-agent

Generate Test Events

Perform several actions:

kubectl create deployment nginx --image=nginx

kubectl delete deployment nginx

kubectl scale deployment my-app --replicas=3

Confirm alerts appear within the dashboard.

Step 5: Monitor Container Activity

Collect Container Logs

Container runtime environments store logs differently.

Docker Environments

Common log location:

/var/lib/docker/containers/

Containerd Environments

Common log location:

/var/log/pods/

CRI-O Environments

Logs are typically accessible through:

/var/log/containers/

Detect Suspicious Container Behavior

Security monitoring should focus on high-risk activities.

Privilege Escalation Attempts

Examples include:

Running privileged containers
Modifying host resources
Accessing restricted files

Unexpected Shell Access

Watch for:

kubectl exec -it

usage against production workloads.

Sensitive File Access

Monitor access to:

Secrets
Credentials
Configuration files

Create Container Security Alerts

Custom Rules

Custom detection rules allow organizations to monitor behaviors unique to their environment.

Alert Severity Levels

Assign severity based on risk:

Low
Medium
High
Critical

Step 6: Enable Kubernetes Vulnerability Monitoring

Monitor Container Images

Inventory Collection

Wazuh gathers software inventory data from monitored systems.

Vulnerability Scanning

Collected inventory is matched against vulnerability databases to identify known security issues.

Analyze Vulnerability Results

Focus remediation efforts on:

Critical Vulnerabilities

Address immediately.

High-Risk Packages

Prioritize based on exposure and exploitability.

Remediation Priorities

Consider:

CVSS score
Asset criticality
Internet exposure

Best Practices for Vulnerability Management

Regular Image Updates

Keep base images current.

Image Scanning Pipelines

Integrate scanning into CI/CD workflows.

Patch Management

Apply updates consistently across environments.

see our Wazuh Vulnerability Detection Not Working? Here’s How to Fix It guide for more information.

Step 7: Build Kubernetes Security Dashboards

Available Wazuh Dashboards

Cluster Activity Dashboard

Track:

Deployments
Scaling events
API activity

Security Events Dashboard

Monitor:

Threat detections
Authentication failures
Policy violations

Vulnerability Dashboard

Track:

CVEs
Vulnerability trends
Remediation progress

Compliance Dashboard

Monitor:

CIS Benchmark findings
Regulatory controls
Audit readiness

Useful Metrics to Track

Failed Authentication Attempts

Can indicate brute-force attacks or credential misuse.

Pod Creation Events

Helps identify unauthorized deployments.

Privileged Container Usage

One of the most important Kubernetes security indicators.

API Access Anomalies

Detect unusual administrative activity.

Vulnerability Trends

Track risk reduction over time and measure remediation effectiveness.

Additional Resources:

Kubernetes Security Use Cases with Wazuh

One of the biggest advantages of integrating Kubernetes with Wazuh is the ability to detect and investigate security threats across the entire container environment.

By collecting audit logs, monitoring system activity, and analyzing security events, Wazuh helps security teams identify suspicious behavior before it escalates into a major incident.

Detect Unauthorized Cluster Access

Unauthorized access remains one of the most common attack vectors in Kubernetes environments.

Attackers frequently target exposed APIs, compromised credentials, and misconfigured access controls to gain entry into clusters.

Failed Login Attempts

Repeated authentication failures can indicate:

Brute-force attacks
Credential stuffing attempts
Stolen credential usage
Misconfigured automation tools

Wazuh can monitor Kubernetes audit logs and generate alerts when authentication failures exceed defined thresholds.

Example detection scenarios include:

Multiple failed logins from the same IP address
Failed logins targeting privileged accounts
Failed authentication attempts across multiple namespaces

Suspicious API Activity

The Kubernetes API server is the control plane’s primary attack surface.

Wazuh can detect:

Excessive API requests
Requests from unusual locations
Unauthorized resource creation
Attempts to enumerate cluster resources

Security teams should pay particular attention to unexpected API activity involving privileged accounts.

Unauthorized Role Changes

Attackers often attempt privilege escalation by modifying RBAC configurations.

Wazuh can monitor events such as:

Role creation
ClusterRole modifications
RoleBinding changes
ClusterRoleBinding updates

Unauthorized permission changes should trigger immediate investigation.

Monitor Privileged Containers

Privileged containers have elevated access to host resources and represent a significant security risk if compromised.

Detection Rules

Wazuh can monitor for:

Containers launched with privileged=true
Containers mounting sensitive host paths
Host network access
Host PID namespace access

Custom rules can be created to generate alerts whenever privileged workloads are deployed.

Risk Indicators

Indicators of elevated risk include:

Access to host file systems
Access to Kubernetes node processes
Containers running as root
Excessive Linux capabilities

These configurations increase the potential impact of a successful compromise.

Response Recommendations

When privileged containers are detected:

Verify business justification.
Review container image security.
Validate RBAC permissions.
Restrict unnecessary capabilities.
Implement runtime monitoring.

Organizations should adopt the principle of least privilege whenever possible.

Detect Container Escapes

Container escapes occur when attackers break out of container isolation and gain access to the underlying host.

Although less common than other attack techniques, successful escapes can lead to full node compromise.

Common Indicators

Potential indicators include:

Unexpected host process access
Modification of host system files
Access to container runtime sockets
Privileged namespace operations
Unusual kernel interactions

Monitoring these activities helps identify possible escape attempts early.

Wazuh Alert Examples

Wazuh can generate alerts for events such as:

Access to /var/run/docker.sock
Unauthorized modifications to host files
Execution of suspicious binaries
Unexpected privilege escalation attempts

Security teams should investigate these alerts immediately because they often indicate high-risk activity.

Identify Configuration Drift

Configuration drift occurs when cluster configurations deviate from approved baselines.

Over time, manual changes can introduce security weaknesses and compliance issues.

Security Baseline Monitoring

Wazuh can monitor critical configuration files and policies, including:

Kubernetes manifests
RBAC configurations
Network policies
Admission controller settings

File Integrity Monitoring (FIM) provides visibility into unauthorized modifications.

Unexpected Configuration Changes

Examples include:

Modified security contexts
Disabled logging configurations
New administrative accounts
Changes to network policies
Altered audit settings

Unexpected changes often indicate either operational mistakes or malicious activity.

see our How to Configure File Integrity Monitoring (FIM) in Wazuh guide.

Monitor Secrets Access

Kubernetes secrets frequently contain highly sensitive information such as API keys, certificates, tokens, and database credentials.

Monitoring access to secrets is a critical security control.

Secret Modification Events

Wazuh can identify:

Secret creation
Secret updates
Secret deletion
Bulk secret modifications

Unexpected modifications may indicate credential abuse or privilege escalation.

Unauthorized Secret Reads

Attackers often target secrets immediately after gaining access to a cluster.

Monitor for:

Unusual secret access patterns
Secret enumeration activity
Access from unexpected service accounts
High-volume secret retrieval requests

Detecting unauthorized secret access can significantly reduce attacker dwell time.

Kubernetes Compliance Monitoring with Wazuh

Many organizations use Kubernetes to host business-critical workloads that fall under regulatory and industry compliance requirements.

Wazuh helps simplify compliance monitoring by collecting evidence, tracking security controls, and generating reports that support audit activities.

CIS Kubernetes Benchmark Monitoring

Benchmark Overview

The CIS Kubernetes Benchmark provides security best practices for securing Kubernetes clusters.

It covers areas such as:

API server security
Authentication controls
Authorization policies
Logging configurations
Network security
Workload protection

Many organizations use the benchmark as a foundation for hardening Kubernetes environments.

Automated Checks

Wazuh can assist with monitoring controls related to:

Audit logging
File permissions
Configuration changes
Access control settings
Security policy enforcement

Automated monitoring reduces the manual effort required during audits.

Compliance Reporting

Compliance dashboards can help security teams:

Identify failed controls
Track remediation efforts
Generate audit evidence
Measure security posture over time

Reports can be exported and shared with auditors when needed.

PCI DSS Compliance

Organizations processing payment card data must comply with PCI DSS requirements.

Relevant Kubernetes Controls

Common PCI DSS requirements include:

Logging and monitoring
Access control enforcement
Vulnerability management
Change monitoring
Incident detection

Kubernetes environments supporting payment systems must maintain visibility into these controls.

Wazuh Monitoring Capabilities

Wazuh supports PCI DSS initiatives through:

Centralized log management
Vulnerability detection
File Integrity Monitoring
Access monitoring
Security alerting

These capabilities help organizations demonstrate continuous monitoring.

HIPAA Compliance Monitoring

Healthcare organizations frequently deploy containerized workloads that process protected health information (PHI).

Logging Requirements

HIPAA requires organizations to maintain security logs and monitor access to sensitive systems.

Wazuh helps collect:

Authentication events
Administrative actions
Access attempts
Security incidents

Audit Trail Collection

Comprehensive audit trails support:

Incident investigations
Regulatory audits
Security reviews
Compliance reporting

Kubernetes audit logs provide valuable evidence for these activities.

SOC 2 Monitoring

SOC 2 emphasizes security, availability, confidentiality, processing integrity, and privacy controls.

Security Control Validation

Organizations must continuously verify that controls remain effective.

Wazuh can help validate:

Access controls
Monitoring processes
Security alerting
Vulnerability management
Change management procedures

Continuous Monitoring

SOC 2 auditors increasingly expect evidence of ongoing monitoring rather than point-in-time assessments.

Wazuh supports continuous visibility through:

Real-time alerts
Historical event retention
Compliance dashboards
Automated reporting

Additional Resources:

https://www.cisecurity.org/benchmark/kubernetes

https://www.pcisecuritystandards.org/

Best Practices for Wazuh Kubernetes Monitoring

Deploying Wazuh successfully is only the first step.

Organizations must continuously optimize their monitoring strategy to reduce noise, improve detection quality, and strengthen overall security posture.

Reduce Alert Fatigue

One of the biggest challenges in Kubernetes security monitoring is managing large volumes of alerts.

Tune Detection Rules

Default detection rules provide a strong starting point, but every environment is different.

Review rules regularly and adjust them based on:

Workload behavior
Business requirements
Risk tolerance
Operational priorities

Fine-tuning improves signal-to-noise ratios.

Eliminate Noisy Alerts

Frequent low-value alerts can overwhelm security teams.

Common examples include:

Expected administrative activity
Automated deployment events
Routine health checks
Known benign processes

Filtering unnecessary alerts allows analysts to focus on genuine threats.

Prioritize Critical Findings

Prioritization should focus on:

Privilege escalation attempts
Unauthorized access
Critical vulnerabilities
Secret exposure
Container escape indicators

These events generally require the fastest response times.

Expert Insight: Security researcher and Kubernetes co-founder Joe Beda has repeatedly emphasized that Kubernetes security is primarily about reducing complexity and visibility gaps. Effective monitoring strategies focus on identifying the small number of events that matter most rather than collecting every possible alert.

Secure Wazuh Components

The monitoring platform itself must be protected.

Protect Management Interfaces

Restrict access to:

Wazuh Dashboard
Manager APIs
Administrative accounts
Configuration repositories

Administrative interfaces should never be publicly exposed.

Enforce RBAC

Apply role-based access control to ensure users only access resources necessary for their responsibilities.

Examples include:

Security analysts
Incident responders
Compliance teams
System administrators

Use TLS Encryption

Encrypt communications between:

Agents and managers
Managers and indexers
Dashboards and users

Encryption helps prevent interception and tampering of security data.

Monitor Multi-Cluster Environments

Many organizations operate multiple Kubernetes clusters across cloud providers and regions.

Centralized Monitoring

Centralized visibility provides several benefits:

Consistent detection policies
Unified investigations
Simplified compliance reporting
Reduced operational overhead

Wazuh is particularly effective when acting as a central monitoring platform across multiple clusters.

Cluster Tagging Strategies

Tagging improves event organization and searchability.

Common tags include:

Production
Development
Staging
Region
Business unit
Cloud provider

Well-defined tagging structures simplify investigations.

Regularly Review Detection Rules

Threats evolve constantly, and detection logic must evolve with them.

Update Rulesets

Review:

Wazuh ruleset updates
Kubernetes security advisories
Emerging attack techniques
New vulnerability disclosures

Keeping rules current improves detection coverage.

Add Custom Kubernetes Detections

Custom rules can monitor:

Organization-specific workloads
Sensitive namespaces
Proprietary applications
Internal compliance requirements

Custom detections often provide the highest-value alerts.

see our How to Create Custom Detection Rules in Wazuh (With Examples) guide.

Integrate with Incident Response Workflows

Monitoring is most effective when integrated into established response processes.

Alert Forwarding

Forward critical alerts to:

SIEM platforms
Security teams
On-call personnel
Incident response systems

Rapid notification reduces response times.

Ticketing Integrations

Many organizations integrate Wazuh with:

Jira
ServiceNow
Zendesk
ITSM platforms

Automated ticket creation improves accountability and tracking.

Response Automation

Automated actions may include:

Isolating compromised systems
Blocking malicious IP addresses
Triggering security workflows
Notifying response teams

Automation helps security teams scale their operations without increasing headcount.

Expert Insight: The security guidance published by the Cloud Native Computing Foundation consistently emphasizes continuous monitoring, least-privilege access, and automated response capabilities as core components of a mature Kubernetes security program.

Troubleshooting Common Kubernetes Monitoring Issues

Even after a successful deployment, administrators may occasionally encounter issues with log collection, event visibility, alerting, or vulnerability detection.

Fortunately, most Kubernetes monitoring problems can be resolved by systematically reviewing configuration settings, permissions, and connectivity.

Wazuh Is Not Receiving Kubernetes Logs

One of the most common issues is that Kubernetes logs never appear in the Wazuh Dashboard.

Possible Causes

Audit Logging Disabled

If Kubernetes audit logging is not enabled, Wazuh will have no audit data to collect.

Verify that:

An audit policy exists
The API server is configured to use it
Audit logs are being written successfully

A surprising number of Kubernetes monitoring deployments fail simply because audit logging was never configured.

Incorrect Log Paths

Wazuh can only monitor files that actually exist.

Common issues include:

Incorrect file paths
Distribution-specific log locations
Typographical errors
Log rotation configuration problems

Verify the exact location of your Kubernetes audit logs before configuring localfile entries.

Agent Connectivity Issues

If Wazuh agents cannot communicate with the Wazuh Manager, logs will never be processed.

Common causes include:

Firewall restrictions
DNS resolution failures
Network segmentation
Incorrect manager configuration
Expired certificates

Fixes

Verify Configuration

Review the agent configuration file and confirm:

Log paths are correct
JSON parsing is enabled when necessary
Kubernetes logs are being monitored

Example:

<localfile>
  <log_format>json</log_format>
  <location>/var/log/kubernetes/audit.log</location>
</localfile>

Check Agent Status

Verify agent health:

sudo systemctl status wazuh-agent

You can also confirm registration:

agent_control -l

Look for disconnected or inactive agents.

Review Permissions

Ensure the Wazuh agent has permission to read:

Audit logs
Container logs
System logs

Permission issues frequently prevent successful log collection.

Kubernetes Events Are Missing

In some environments, administrators discover that certain Kubernetes activities are not appearing in Wazuh.

Diagnostic Steps

Confirm Event Generation

First, verify that Kubernetes is actually generating events.

Run:

kubectl get events --all-namespaces

If no events exist, the issue may be within the cluster itself rather than Wazuh.

Validate Collection Settings

Verify that Wazuh is configured to collect the relevant data source.

Check:

Audit log monitoring
Event forwarding configuration
API integrations
Custom log collection settings

Resolution

Update Monitoring Configuration

If required event sources are not configured, update your monitoring policies accordingly.

Common improvements include:

Adding additional log paths
Enabling audit logging
Expanding event collection scope
Creating custom detection rules

Restart Services

After making configuration changes, restart the agent:

sudo systemctl restart wazuh-agent

Then verify the service starts successfully.

sudo systemctl status wazuh-agent

Monitor logs for errors during startup.

Excessive Kubernetes Alerts

Receiving too many alerts can overwhelm analysts and make it difficult to identify genuine threats.

Common Causes

Overly Broad Detection Rules

Many default security rules intentionally cast a wide net.

Examples include:

Generic authentication failures
Administrative activity
Resource creation events
Routine operational tasks

While useful initially, these rules often require tuning.

High Event Volume

Large Kubernetes environments naturally generate substantial telemetry.

Factors contributing to alert volume include:

Large clusters
Frequent deployments
Auto-scaling workloads
CI/CD activity
Extensive audit logging

Without filtering, alert fatigue becomes inevitable.

Solutions

Rule Tuning

Review the alerts that occur most frequently.

Questions to ask:

Is the activity expected?
Does it indicate real risk?
Can it be safely suppressed?

Custom rules can dramatically improve signal quality.

Alert Filtering

Consider filtering:

Known administrative actions
Trusted service accounts
Approved automation tools
Routine deployment events

Filtering reduces noise while preserving meaningful detections.

See our How to Reduce False Positives in Wazuh guide.

Vulnerability Detection Is Not Working

Another common issue involves vulnerability data failing to appear in dashboards or reports.

Verification Checklist

Before troubleshooting further, confirm the following.

Inventory Collection Enabled

Vulnerability detection relies on software inventory data.

Verify that inventory collection is enabled on monitored systems.

Without inventory data, Wazuh cannot identify vulnerable packages.

Feed Updates Functioning

The vulnerability detector depends on regularly updated vulnerability feeds.

Verify:

Feed downloads are successful
Internet access is available where required
Feed synchronization is functioning properly

Fixes

Refresh Vulnerability Data

Force a refresh of vulnerability information by:

Restarting vulnerability detection services
Updating feeds manually
Re-scanning inventory data

This often resolves synchronization issues.

Verify Agent Communication

Vulnerability data is generated from inventory information supplied by agents.

Confirm that:

Agents are connected
Inventory collection is active
Data is reaching the Wazuh Manager

Missing inventory data is one of the most common root causes.

Frequently Asked Questions

Question: Can Wazuh monitor Kubernetes without agents?

Yes, certain Kubernetes data sources such as audit logs can be collected without deploying agents directly inside the cluster.

However, deploying Wazuh agents on Kubernetes nodes provides significantly greater visibility, including:

File Integrity Monitoring
Software inventory collection
Vulnerability detection
Node-level security monitoring

For comprehensive monitoring, agent-based deployments are generally recommended.

Question: Does Wazuh support managed Kubernetes services like EKS, AKS, and GKE?

Yes. Wazuh can monitor major managed Kubernetes platforms including:

Amazon EKS
Microsoft AKS
Google GKE
Red Hat OpenShift
Rancher-managed clusters

The monitoring approach remains largely consistent across providers.

Question: Can Wazuh detect container security threats in real time?

Yes. Wazuh can generate alerts for suspicious activity as events are received and processed.

Examples include:

Unauthorized API access
Privilege escalation attempts
Container breakout indicators
Suspicious process execution
Sensitive file access

Real-time alerting enables faster incident response.

Question: How does Wazuh collect Kubernetes audit logs?

Wazuh typically collects audit logs by monitoring the audit log files generated by the Kubernetes API server.

The process generally involves:

Enabling Kubernetes audit logging.
Defining an audit policy.
Configuring Wazuh localfile monitoring.
Parsing audit events.
Generating alerts and dashboard visualizations.

Question: Does Kubernetes monitoring increase cluster overhead?

Yes, but the impact is usually modest when properly configured.

Factors affecting overhead include:

Audit logging verbosity
Number of monitored nodes
Log retention settings
Event volume
Detection rule complexity

Most production environments can support monitoring with minimal performance impact.

Question: Can Wazuh monitor multiple Kubernetes clusters?

Yes.

Many organizations use a centralized Wazuh deployment to monitor:

Production clusters
Development clusters
Staging environments
Multi-cloud Kubernetes deployments

Using cluster tags and labels helps organize data across environments.

Question: Is Wazuh suitable for Kubernetes compliance auditing?

Absolutely.

Wazuh provides capabilities that support:

CIS Kubernetes Benchmark monitoring
PCI DSS requirements
HIPAA auditing
SOC 2 monitoring
Internal security standards

Its centralized logging and reporting capabilities make compliance assessments significantly easier.

Question: What Kubernetes events should be monitored first?

If you’re building a monitoring program from scratch, prioritize:

Authentication failures
Role and permission changes
Secret access events
Privileged container deployments
Pod creation and deletion events
API server activity
Vulnerability findings
Configuration changes

These events typically provide the highest security value.

Conclusion

Kubernetes provides tremendous flexibility and scalability, but it also introduces new security and visibility challenges.

Without centralized monitoring, organizations can struggle to detect threats, investigate incidents, and maintain compliance across increasingly complex containerized environments.

Wazuh helps address these challenges by providing a unified platform for Kubernetes security monitoring, threat detection, vulnerability management, compliance reporting, and log analysis.

Key Takeaways

Throughout this guide, we’ve covered several important concepts:

Wazuh provides centralized Kubernetes security monitoring.
Kubernetes audit logs are essential for visibility and investigations.
Vulnerability monitoring helps strengthen cluster security posture.
Compliance monitoring can be automated through continuous log collection and analysis.
Proper rule tuning significantly reduces alert fatigue and improves detection quality.

By combining Kubernetes telemetry with Wazuh’s SIEM and XDR capabilities, security teams gain a comprehensive view of activity occurring across nodes, containers, workloads, and APIs.

Next Steps

To begin monitoring Kubernetes with Wazuh:

Deploy Wazuh agents on Kubernetes nodes.
Enable Kubernetes audit logging.
Configure audit log collection.
Build Kubernetes security dashboards.
Create custom detection rules.
Enable vulnerability monitoring.
Continuously tune alerts and improve coverage.

A successful Kubernetes monitoring strategy is not a one-time project—it is an ongoing process of refining detections, improving visibility, and adapting to evolving threats.

Organizations that invest in continuous monitoring are far better positioned to detect attacks early, respond effectively, and maintain secure, compliant Kubernetes environments.