Skip to main content


Big picture

Use Calico Cloud log data for visibility and troubleshooting Kubernetes clusters.


Workloads and policies are highly dynamic. To troubleshoot Kubernetes clusters, you need logs with workload identity and context. Calico Cloud deploys an Elasticsearch cluster and Kibana instance during installation with these features:

  • Logs with workload context
  • Centralized log collection for multiple clusters for Calico Cloud multi-cluster-management
  • View Elasticsearch logs in Calico Cloud Manager UI (Kibana dashboard and Flow Visualizer), and the Elasticsearch API
  • Standard Kubernetes RBAC for granular access control to logs
  • Collect/archive logs or subset of logs
  • Log aggregation for high-volume logs
  • Configure data retention settings to manage cluster disk space
  • Integration with third-party tools like Amazon S3, Syslog, Splunk


Logs types

Elasticsearch logs provide the visibility and troubleshooting backend for Calico Cloud.

Log typeDescriptionLog sourceRBACIndex
flowNetwork flows for workloads: source and destination namespaces, pods, labels, and policiesCalico Cloud cnx-node (Felix)flowstigera_secure_ee_flows
auditAudit logs for Calico Cloud resourcesCalico Cloud apiserveraudit_eetigera_secure_ee_audit_ee
Audit logs for Kubernetes resourcesKubernetes apiserveraudit_kubetigera_secure_ee_audit_kube
Both audit logs aboveaudit*tigera_secure_ee_audit*
bgpCalico Cloud networking BGP peering and route propagationCalico Cloud cnx-node (BIRD)ee_bgptigera_secure_ee_bgp.*
dnsDNS lookups and responses from Calico Cloud domain-based policyCalico Cloud cnx-node (Felix)ee_dnstigera_secure_ee_dns
idsCalico Cloud intrusion detection events: suspicious IPs, suspicious domains, and global alertsCalico Cloud intrusion-detection-controlleree_eventstigera_secure_ee_events

Because of their high-volume, flow and dns logs support aggregation.

Default log configuration and security

Calico Cloud automatically installs fluentd on all nodes and collects flow, audit, and DNS logs. You can configure additional destinations like Amazon S3, Syslog, Splunk.

Calico Cloud enables user authentication in Elasticsearch, and secures access to Elasticsearch and Kibana instances using network policy.

RBAC and log access

You control user access to logs using the standard Kubernetes RBAC cluster role and cluster role binding. For example:

kind: ClusterRoleBinding
name: bob-es-access
- kind: User
name: bob
kind: ClusterRole
name: audit-ee-only

You configure Elasticsearch log access per cluster using RBAC and the Kubernetes API group, For example:

apiGroups: ['']
resources: ['app-cluster']
resourceNames: ['flows', 'dns']
verbs: ['get']

Logs for compliance reporting

Calico Cloud compliance reports are based on archived flow logs and audit logs for these resources:

  • Pods
  • Host endpoints
  • Service accounts
  • Namespaces
  • Kubernetes service endpoints
  • Global network sets
  • Calico Cloud and Kubernetes network policies
  • Global network policies
  • Network sets

Calico Cloud also supports archiving Cloudwatch for EKS audit logs.

Additional resources