The module lifecycle stage: Experimental
The module has requirements for installation
Viewing controller and gateway logs
Controller runs in the module namespace (e.g. d8-security-events-manager). Gateway runs in the same namespace.
# Controller logs
kubectl -n d8-security-events-manager logs -l app=security-events-manager-controller -c manager --tail=200
# Gateway (Vector) logs
kubectl -n d8-security-events-manager logs -l app=gateway -c vector --tail=200
# Reloader sidecar (applies config changes, triggers Vector reload)
kubectl -n d8-security-events-manager logs -l app=gateway -c reloader --tail=100Inspecting the generated Vector config
The controller writes the full Vector config to Secret gateway-vector-config in the module namespace. To dump the current config:
kubectl -n d8-security-events-manager get secret gateway-vector-config -o jsonpath='{.data.vector\.json}' | base64 -d | jq .Without jq, omit the trailing | jq . to get raw JSON. Check that sources, transforms, and sinks match your ClusterSecurityEventConfig and ClusterSecurityEventDestination. More details about transform names can be found in Vector gateway config and Detailed VRL logic.
Debugging Vector inside the gateway pod
If the gateway image includes Vector CLI, you can exec into the Vector container and run:
kubectl -n d8-security-events-manager exec -it deploy/gateway -c vector -- vector validate /etc/vector/dynamic/vector.jsonTo see the pipeline topology (if supported by your Vector version):
kubectl -n d8-security-events-manager exec -it deploy/gateway -c vector -- vector graph /etc/vector/dynamic/vector.jsonVector API (if enabled in the image) is typically on http://127.0.0.1:8686 inside the pod; you can port-forward and call /reload or inspect health. The reloader uses this API to trigger config reloads.
Troubleshooting
- Events not reaching a destination — verify the source string in ClusterSecurityEventConfig (
enabledSourcesorenabledSourcesMasks). Format isclusterSecurityEventShipper/<name>/<source>orpodSecurityEventShipper/<namespace>/<name>/<source>. More details about event delivery diagnostics can be found in FAQ. - Invalid Vector config — after changing CRs, check controller logs for reconcile errors. If the generated config is invalid, the reloader will not apply it and will set metric
vector_config_validation_error=1. Check reloader logs for the validation error. - TLS/certificate errors — ensure ClusterSecurityEventDestination TLS and auth settings match your Loki/Elasticsearch/etc. For gateway-to-destination TLS, the
cafield is base64-encoded PEM. The controller may create a CA Secret for destinations; check Secretgateway-destination-casin the module namespace.