Details
-
Bug
-
Resolution: Not a Bug
-
Normal
-
Logging 5.4.0
-
False
-
False
-
NEW
-
OBSDA-108 - Distribute an alternate Vector Log Collector
-
VERIFIED
Description
Description of the problem:
Audit log records are missing details like the pipeline_metadata etc. Sample audit log record generated.
"_index" : "audit-000001",
"_type" : "_doc",
"_id" : "NzY1ZGEwOWQtN2Q4MS00NDAzLWJlOWMtZWRkZDY1MDY4MjNk",
"_score" : 1.0,
"_source" : {
"log_type" : "audit",
"file" : "/var/log/kube-apiserver/audit.log",
"write-index" : "audit-write",
"host" : "collector-4ncz2",
"source_type" : "file",
"message" : "{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"Metadata\",\"auditID\":\"ee45ae5d-fa00-4a85-bb4e-acd16d590e7f\",\"stage\":\"ResponseStarted\",\"requestURI\":\"/apis/config.openshift.io/v1/infrastructures?allowWatchBookmarks=true\\u0026resourceVersion=90616\\u0026timeout=7m30s\\u0026timeoutSeconds=450\\u0026watch=true\",\"verb\":\"watch\",\"user\":{\"username\":\"system:serviceaccount:openshift-console-operator:console-operator\",\"uid\":\"166371ed-1cb5-4142-85a2-c6b93cfd7fbc\",\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:openshift-console-operator\",\"system:authenticated\"],\"extra\":{\"authentication.kubernetes.io/pod-name\":[\"console-operator-749559d6d9-wfqzq\"],\"authentication.kubernetes.io/pod-uid\":[\"e9e832b6-9354-411f-954e-ff3c51c6b85e\"]}},\"sourceIPs\":[\"10.0.0.4\"],\"userAgent\":\"Go-http-client/2.0\",\"objectRef\":{\"resource\":\"infrastructures\",\"apiGroup\":\"config.openshift.io\",\"apiVersion\":\"v1\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestReceivedTimestamp\":\"2022-01-25T05:15:03.898704Z\",\"stageTimestamp\":\"2022-01-25T05:15:03.899301Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"console-operator\\\" of ClusterRole \\\"console-operator\\\" to ServiceAccount \\\"console-operator/openshift-console-operator\\\"\"}}",
"timestamp" : "2022-01-25T05:16:47.129826037Z"
}
},
Steps to reproduce the issue:
1 Deploy ClusterLogging with Vector as collector.
2 Create a ClusterLogForwarder to forward all audit, infrastructure and application logs to default Elasticsearch instance.
apiVersion: "logging.openshift.io/v1" kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: pipelines: - name: application-logs inputRefs: - application - audit - infrastructure outputRefs: - default
3 Check the audit log records in Elasticsearch.
es_util --query=audit*/_search?pretty
Attachments
Issue Links
- is blocked by
-
LOG-2225 Audit log collection
-
- Closed
-
