Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2923

Audit logs missing after upgrade to Logging 5.4


    • False
    • None
    • False
    • NEW
    • Before this update, a refactoring of the Fluentd collector plugins removed the timestamp field for events. This update restores the timestamp field, sourced from the event's received time.
    • Log Collection - Sprint 223, Log Collection - Sprint 224

      Description of problem:

      When upgrading from OpenShift Logging 5.3 to OpenShift Logging 5.4.4, audit logs are no longer visible in Kibana. This behaviour was reported by a customer in a Support Case and I was able to reproduce the issue internally.

      Some audit logs still seem to be shipped ("SERVICE_START" and "SERVICE_STOP" audit entries) but no other audit logs are displayed despite audit logging being set up correctly.

      Version-Release number of selected component (if applicable):

      • OpenShift Container Platform 4.10.26
      • OpenShift Logging 5.4.4 upgraded from OpenShift Logging 5.3.10

      How reproducible:


      Steps to Reproduce:
      1. Install OpenShift Logging 5.3 on an OpenShift Container Platform cluster.
      2. Create a ClusterLogging as described in the documentation. Configure audit logs to be shipped by creating the following ClusterLogForwarder:

      apiVersion: logging.openshift.io/v1
      kind: ClusterLogForwarder
        name: instance
        namespace: openshift-logging
        - inputRefs:
          - infrastructure
          - application
          - audit
          name: enable-default-log-store
          - default

      3. Go to Kibana, create a "audit*" index and observe that there are hundreds of audit log entries being shipped constantly
      4. Upgrade to OpenShift Logging 5.4.4 ("stable-5.4")

      Actual results:

      Go to Kibana and observe that there are only a few audit log entries being shown

      Expected results:

      Go to Kibana and observe that all audit log entries are shown

      Additional info:

      • Will append additional "oc adm inspect" output for both versions to this Bug

            jcantril@redhat.com Jeffrey Cantrill
            rhn-support-skrenger Simon Krenger
            Ishwar Kanse Ishwar Kanse
            3 Vote for this issue
            10 Start watching this issue