Kubelet, Pod, and Container Runtime Logs
LinuxExecution EvidenceKubernetesDisk ImageSIEM / Log Aggregator
Location
journalctl -u kubelet, /var/log/pods/, /var/log/containers/, and CRI runtime metadataDescription
Node-level Kubernetes evidence including kubelet service logs, pod and container log symlinks, runtime log files, and event traces for workloads scheduled on the node.
Forensic Value
Kubelet and pod logs show how attacker workloads behaved after they reached a node. They reveal crash loops, repeated exec attempts, pulled images, container restarts, privilege errors, and stdout/stderr output that may not survive application cleanup inside the container.
Tools Required
journalctltarkubectlcrictl
Collection Commands
journalctl
journalctl -u kubelet --since "2026-03-01" > /forensics/output/kubelet_journal.txt
tar
tar czf /forensics/output/kubernetes_pod_logs.tar.gz /var/log/pods /var/log/containers 2>/dev/null
crictl
crictl ps -a > /forensics/output/crictl_ps.txt
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
- •Node and pod logs can rotate quickly on busy clusters or after attacker cleanup, so early export matters.
- •These logs are workload-scoped and must be correlated with API audit or control-plane evidence for full attribution.
MITRE ATT&CK Techniques
T1610T1611T1059