Skip to main content
Version: 3.18 (latest)


Big picture

Use Calico Enterprise log data for visibility and troubleshooting Kubernetes clusters.


Workloads and policies are highly dynamic. To troubleshoot Kubernetes clusters, you need logs with workload identity and context. Calico Enterprise deploys an Elasticsearch cluster and Kibana instance during installation with these features:

  • Logs with workload context
  • Centralized log collection for multiple clusters for Calico Enterprise multi-cluster-management
  • View Elasticsearch logs in Calico Enterprise Manager UI (Kibana dashboard and Flow Visualizer), and the Elasticsearch API
  • Standard Kubernetes RBAC for granular access control to logs
  • Collect/archive logs or subset of logs
  • Log aggregation for high-volume logs
  • Configure data retention settings to manage cluster disk space
  • Integration with third-party tools like Amazon S3, Syslog, Splunk


Logs types

Elasticsearch logs provide the visibility and troubleshooting backend for Calico Enterprise.

Log typeDescriptionLog sourceRBACIndex
flowNetwork flows for workloads: source and destination namespaces, pods, labels, and policiesCalico Enterprise cnx-node (Felix)flowstigera_secure_ee_flows.*
auditAudit logs for Calico Enterprise resourcesCalico Enterprise apiserveraudit_eetigera_secure_ee_audit_ee.*
Audit logs for Kubernetes resourcesKubernetes apiserveraudit_kubetigera_secure_ee_audit_kube.*
Both audit logs aboveaudit*tigera_secure_ee_audit*
bgpCalico Enterprise networking BGP peering and route propagationCalico Enterprise cnx-node (BIRD)ee_bgptigera_secure_ee_bgp.*
dnsDNS lookups and responses from Calico Enterprise domain-based policyCalico Enterprise cnx-node (Felix)ee_dnstigera_secure_ee_dns.*
idsCalico Enterprise intrusion detection events: suspicious IPs, suspicious domains, and global alertsCalico Enterprise intrusion-detection-controlleree_eventstigera_secure_ee_events.*

Because of their high-volume, flow and dns logs support aggregation.

Default log configuration and security

Calico Enterprise automatically installs fluentd on all nodes and collects flow, audit, and DNS logs. You can configure additional destinations like Amazon S3, Syslog, Splunk.

Calico Enterprise enables user authentication in Elasticsearch, and secures access to Elasticsearch and Kibana instances using network policy.

RBAC and log access

You control user access to logs using the standard Kubernetes RBAC cluster role and cluster role binding. For example:

kind: ClusterRoleBinding
name: bob-es-access
- kind: User
name: bob
kind: ClusterRole
name: audit-ee-only

You configure Elasticsearch log access per cluster using RBAC and the Kubernetes API group, For example:

apiGroups: ['']
resources: ['app-cluster']
resourceNames: ['flows', 'dns']
verbs: ['get']

Logs for compliance reporting

Calico Enterprise compliance reports are based on archived flow logs and audit logs for these resources:

  • Pods
  • Host endpoints
  • Service accounts
  • Namespaces
  • Kubernetes service endpoints
  • Global network sets
  • Calico Enterprise and Kubernetes network policies
  • Global network policies
  • Network sets

Calico Enterprise also supports archiving Cloudwatch for EKS audit logs.

Additional resources