Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2411

[Vector] Audit logs forwarding not working.

XMLWordPrintable

      Cluster-logging.5.4.0-103

      Server Version: 4.10.0-0.nightly-2022-03-23-153617

      Kubernetes Version: v1.23.5+b0357ed

      Description of problem:

      No audit logs are forwarded to the log store when a ClusterLogForwarder is created to forward audit logs.

      Version-Release number of selected component (if applicable):

      NAME                               DISPLAY                            VERSION     REPLACES   PHASE

      cluster-logging.5.4.0-103          Red Hat OpenShift Logging          5.4.0-103              Succeeded

      elasticsearch-operator.5.4.0-117   OpenShift Elasticsearch Operator   5.4.0-117              Succeeded

      How reproducible:

      Always

      Steps to reproduce the issue:

      1 Install the Cluster Logging and Elasticsearch 5.4 operators.

      2 Create a Cluster Logging instance with Vector as collector.

      apiVersion: "logging.openshift.io/v1"
      kind: "ClusterLogging"
      metadata:
        name: "instance" 
        namespace: "openshift-logging"
        annotations:
          logging.openshift.io/preview-vector-collector: enabled
      spec:
        managementState: "Managed"  
        logStore:
          type: "elasticsearch"  
          retentionPolicy: 
            application:
              maxAge: 10h
            infra:
              maxAge: 10h
            audit:
              maxAge: 10h
          elasticsearch:
            nodeCount: 1 
            storage: {} 
            resources: 
                limits:
                  memory: "4Gi"
                requests:
                  memory: "1Gi"
            proxy: 
              resources:
                limits:
                  memory: 256Mi
                requests:
                  memory: 256Mi
            redundancyPolicy: "ZeroRedundancy"
        visualization:
          type: "kibana"  
          kibana:
            replicas: 1
        collection:
          logs:
            type: "vector"  
            vector: {}
       

      3 Create a ClusterLogForwarder to forward all log types to the default log store.

      apiVersion: logging.openshift.io/v1
      kind: ClusterLogForwarder
      metadata:
        name: instance
        namespace: openshift-logging
      spec:
        pipelines:
        - name: to-es
          inputRefs:
          - infrastructure
          - audit
          - application
          outputRefs:
          - default 

      4 Check the indices in the Elasticsearch log store.

      sh-4.4$ indices
      Thu Mar 24 07:26:33 UTC 2022
      health status index        uuid                   pri rep docs.count docs.deleted store.size pri.store.size
      green  open   app-000001   xwXMh1kTSueECO_LcRhNlQ   1   0       3161            0          0              0
      green  open   audit-000001 ZQoxHEdUQ8-o8REAZ3OvwQ   1   0          0            0          0              0
      green  open   .kibana_1    HwLS-h4oQFaNGAfO-6Yjuw   1   0          0            0          0              0
      green  open   .security    sn8k-siVQzSqmvOKa8LpaA   1   0          6            0          0              0
      green  open   infra-000001 ZyXxB_VwR4GhIh_SiF-8wA   1   0      50618            0         20             20
       

      Additional details:

      Attached the generated vector.toml file. 

            vimalkum@redhat.com Vimal Kumar
            rhn-support-ikanse Ishwar Kanse
            Ishwar Kanse Ishwar Kanse
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: