The module lifecycle stageExperimental
The module has requirements for installation

Viewing controller and gateway logs

Controller runs in the module namespace (e.g. d8-security-events-manager). Gateway runs in the same namespace.

# Controller logs
kubectl -n d8-security-events-manager logs -l app=security-events-manager-controller -c manager --tail=200

# Gateway (Vector) logs
kubectl -n d8-security-events-manager logs -l app=gateway -c vector --tail=200

# Reloader sidecar (applies config changes, triggers Vector reload)
kubectl -n d8-security-events-manager logs -l app=gateway -c reloader --tail=100

Inspecting the generated Vector config

The controller writes the full Vector config to Secret gateway-vector-config in the module namespace. To dump the current config:

kubectl -n d8-security-events-manager get secret gateway-vector-config -o jsonpath='{.data.vector\.json}' | base64 -d | jq .

Without jq, omit the trailing | jq . to get raw JSON. Check that sources, transforms, and sinks match your ClusterSecurityEventConfig and ClusterSecurityEventDestination. More details about transform names can be found in Vector gateway config and Detailed VRL logic.

Debugging Vector inside the gateway pod

If the gateway image includes Vector CLI, you can exec into the Vector container and run:

kubectl -n d8-security-events-manager exec -it deploy/gateway -c vector -- vector validate /etc/vector/dynamic/vector.json

To see the pipeline topology (if supported by your Vector version):

kubectl -n d8-security-events-manager exec -it deploy/gateway -c vector -- vector graph /etc/vector/dynamic/vector.json

Vector API (if enabled in the image) is typically on http://127.0.0.1:8686 inside the pod; you can port-forward and call /reload or inspect health. The reloader uses this API to trigger config reloads.

Troubleshooting

  • Events not reaching a destination — verify the source string in ClusterSecurityEventConfig (enabledSources or enabledSourcesMasks). Format is clusterSecurityEventShipper/<name>/<source> or podSecurityEventShipper/<namespace>/<name>/<source>. More details about event delivery diagnostics can be found in FAQ.
  • Invalid Vector config — after changing CRs, check controller logs for reconcile errors. If the generated config is invalid, the reloader will not apply it and will set metric vector_config_validation_error=1. Check reloader logs for the validation error.
  • TLS/certificate errors — ensure ClusterSecurityEventDestination TLS and auth settings match your Loki/Elasticsearch/etc. For gateway-to-destination TLS, the ca field is base64-encoded PEM. The controller may create a CA Secret for destinations; check Secret gateway-destination-cas in the module namespace.