This message was deleted.

You can use Kubernetes Audit Logging and add the respective files to fluent-bit configuration, when deploying the Rancher logging chart. Something like this in cluster configuration (RKE1):

kube-api:
      audit_log:
        configuration:
          format: json
          max_age: 6
          max_backup: 6
          max_size: 10
          path: /var/log/kube-audit/audit-log.json
          policy:
            api_version: <http://audit.k8s.io/v1|audit.k8s.io/v1>
            kind: Policy
            metadata: {}
            rules:
              - level: None
                verbs:
                  - watch
                  - list
                  - get
              - level: None
                users:
                  - 'system:kube-scheduler'
                  - 'system:kube-controller-manager'
                  - 'system:kube-proxy'
                  - 'system:serviceaccount:cattle-system:kontainer-engine'
              - level: None
                userGroups:
                  - 'system:nodes'
                  - 'system:masters'
                  - 'system:serviceaccounts:cattle-monitoring-system'
                  - 'system:serviceaccounts:elastic-system'
                  - 'system:serviceaccounts:longhorn-system'
                  - 'system:serviceaccounts:cattle-fleet-system'
                  - 'system:serviceaccounts:kube-system'
                  - 'system:serviceaccounts:ingress-nginx'
              - level: Metadata
        enabled: true

And for the logging object:

fluentbit:
    filterKubernetes:
      Match: kubernetes.var.log.containers.*
    image:

      Path: /var/log/containers/*.log,/var/log/kube-audit/audit-log.json

From there, just use whatever logging backend/frontend combination you are already feel comfortable with to create relevant reports.