diff --git a/host/cluster-down.yaml b/host/cluster-down.yaml
index 85e4979..2b5c10b 100644
--- a/host/cluster-down.yaml
+++ b/host/cluster-down.yaml
@@ -272,6 +272,16 @@ spec:
             echo "hostname = $(hostname)"
             echo "/proc/sys/kernel/hostname = $(cat /proc/sys/kernel/hostname)"
             echo "uname -n = $(uname -n)"
+    # Collect apiserver audit logs
+    # Note: apiserver logs are owned by root so for this collector
+    # to succeed it requires sudo privileges for the user
+    - copy:
+        collectorName: "apiserver-audit-logs"
+        path: /var/log/apiserver/k8s-audit*
+    # Collect kURL installer logs
+    - copy:
+        collectorName: "kurl-logs"
+        path: /var/log/kurl/*
   hostAnalyzers:
     - certificate:
         collectorName: k8s-api-keypair
diff --git a/in-cluster/default-kurl.yaml b/in-cluster/default-kurl.yaml
index 300486b..fb76e35 100644
--- a/in-cluster/default-kurl.yaml
+++ b/in-cluster/default-kurl.yaml
@@ -4,9 +4,15 @@ metadata:
   name: default
 spec:
   collectors:
+    - copyFromHost:
+        collectorName: "copy apiserver audit logs"
+        image: alpine
+        hostPath: "/var/log/apiserver/"
+        name: "logs"
+        extractArchive: true
     - copyFromHost:
         collectorName: "copy kURL logs"
-        image: busybox:1
+        image: alpine
         hostPath: "/var/log/kurl/"
         name: "logs"
         extractArchive: true