Kubelet, Pod, and Container Runtime Logs

LinuxExecution EvidenceKubernetesDisk ImageSIEM / Log Aggregator

Location

journalctl -u kubelet, /var/log/pods/, /var/log/containers/, and CRI runtime metadata

Description

Node-level Kubernetes evidence including kubelet service logs, pod and container log symlinks, runtime log files, and event traces for workloads scheduled on the node.

Forensic Value

Kubelet and pod logs show how attacker workloads behaved after they reached a node. They reveal crash loops, repeated exec attempts, pulled images, container restarts, privilege errors, and stdout/stderr output that may not survive application cleanup inside the container.

Tools Required

journalctltarkubectlcrictl

Collection Commands

journalctl

journalctl -u kubelet --since "2026-03-01" > /forensics/output/kubelet_journal.txt

tar

tar czf /forensics/output/kubernetes_pod_logs.tar.gz /var/log/pods /var/log/containers 2>/dev/null

crictl

crictl ps -a > /forensics/output/crictl_ps.txt

Collection Constraints

•Node and pod logs can rotate quickly on busy clusters or after attacker cleanup, so early export matters.
•These logs are workload-scoped and must be correlated with API audit or control-plane evidence for full attribution.

MITRE ATT&CK Techniques

T1610T1611T1059

References

System logs and Kubernetes logging

Used in Procedures

Detect and Analyze Web Shells on Compromised Servers

analyze

Acquisition Methods

Kubernetes Resource Inventory Export

linux — container

tar Logical Collection

linux — logical