Kubelet Node-Level Logs
Location
Kubelet systemd journal on each node (`journalctl -u kubelet`) and kubelet log files (/var/log/kubelet.log)Description
Per-node logs from the kubelet agent recording pod lifecycle events (creation, start, stop, termination), image pulls, volume mounts, PLEG (Pod Lifecycle Event Generator) events, and errors. Useful for reconstructing activity on a specific node when cluster-level logs are insufficient.
Forensic Value
Kubelet logs fill gaps between the control-plane audit log and container runtime events: they show the node's perspective on pod startup, image pulls, sidecar injection, and health-probe failures. Critical when an ephemeral container has been evicted and only node-level records remain.
Tools Required
Collection Commands
journalctl
journalctl -u kubelet --since "2026-03-01" --until "2026-03-07" --output=json > kubelet.json
kubectl (node debug)
kubectl debug node/<node-name> -it --image=busybox -- chroot /host journalctl -u kubelet
Collection Constraints
- •Managed-cluster node access is often restricted; node-debug containers or provider-specific mechanisms required
- •Journald rotation policies on nodes determine how far back logs survive
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Compromised Image Pulled from Untracked Registry
The running container image cannot be traced to a specific, approved build: it was pulled from an external or unapproved registry, built outside standard CI/CD, or has a non-deterministic tag like `:latest`. Provenance is missing, SBOM is unavailable, and the malicious content cannot be distinguished from a legitimate base.
Ephemeral Container Terminated Before Evidence Capture
The compromised container was terminated, evicted, or replaced (pod restart, autoscaling event, deployment rollout) before forensic evidence could be collected. The container filesystem and local state are gone; response must pivot to control-plane audit, node-level artifacts, and image-registry provenance.