Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Normal
Fix Version/s: Logging 5.5.0
Affects Version/s: Logging 5.4.0
Component/s: Log Collection
Labels:
- devel_ack+

Blocked:
False
Ready:
False
Epic Link:
Deploy Vector Collector as a GA offering (Phase 1)
Docs QE Status:
NEW
Feature Link:
OBSDA-108 - Distribute an alternate Vector Log Collector
QE Status:
VERIFIED
Market:

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description of the problem:

Audit log records are missing details like the pipeline_metadata etc. Sample audit log record generated.

        "_index" : "audit-000001",
        "_type" : "_doc",
        "_id" : "NzY1ZGEwOWQtN2Q4MS00NDAzLWJlOWMtZWRkZDY1MDY4MjNk",
        "_score" : 1.0,
        "_source" : {
          "log_type" : "audit",
          "file" : "/var/log/kube-apiserver/audit.log",
          "write-index" : "audit-write",
          "host" : "collector-4ncz2",
          "source_type" : "file",
          "message" : "{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"Metadata\",\"auditID\":\"ee45ae5d-fa00-4a85-bb4e-acd16d590e7f\",\"stage\":\"ResponseStarted\",\"requestURI\":\"/apis/config.openshift.io/v1/infrastructures?allowWatchBookmarks=true\\u0026resourceVersion=90616\\u0026timeout=7m30s\\u0026timeoutSeconds=450\\u0026watch=true\",\"verb\":\"watch\",\"user\":{\"username\":\"system:serviceaccount:openshift-console-operator:console-operator\",\"uid\":\"166371ed-1cb5-4142-85a2-c6b93cfd7fbc\",\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:openshift-console-operator\",\"system:authenticated\"],\"extra\":{\"authentication.kubernetes.io/pod-name\":[\"console-operator-749559d6d9-wfqzq\"],\"authentication.kubernetes.io/pod-uid\":[\"e9e832b6-9354-411f-954e-ff3c51c6b85e\"]}},\"sourceIPs\":[\"10.0.0.4\"],\"userAgent\":\"Go-http-client/2.0\",\"objectRef\":{\"resource\":\"infrastructures\",\"apiGroup\":\"config.openshift.io\",\"apiVersion\":\"v1\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestReceivedTimestamp\":\"2022-01-25T05:15:03.898704Z\",\"stageTimestamp\":\"2022-01-25T05:15:03.899301Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"console-operator\\\" of ClusterRole \\\"console-operator\\\" to ServiceAccount \\\"console-operator/openshift-console-operator\\\"\"}}",
          "timestamp" : "2022-01-25T05:16:47.129826037Z"
        }
      },

Steps to reproduce the issue:

1 Deploy ClusterLogging with Vector as collector.

2 Create a ClusterLogForwarder to forward all audit, infrastructure and application logs to default Elasticsearch instance.

apiVersion: "logging.openshift.io/v1"
kind: ClusterLogForwarder
metadata:
  name: instance 
  namespace: openshift-logging 
spec:
  pipelines:
   - name: application-logs 
     inputRefs: 
     - application
     - audit
     - infrastructure
     outputRefs:
     - default

3 Check the audit log records in Elasticsearch.

es_util --query=audit*/_search?pretty

is blocked by

LOG-2225 Audit log collection

Closed

Assignee:: Unassigned

Reporter:: Ishwar Kanse

QA Contact:: Ishwar Kanse

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2022/01/25 6:25 AM

Updated:: 2022/08/12 5:05 PM

Resolved:: 2022/04/22 4:03 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates