Environment

OCP 4.10.18

Detailed Problem Replication Steps with screen-shots 

Case number in SFDC: 03295273

CU is able to view events related to Deployments(like which user created, deleted, get, watch, list) from all master nodes' audit logs, however, CU cannot get this same info from Kibana logs. Seems that it's not possible to have kube-apiserver/audit.log pushed in elk
 
CU can create app-* index pattern as indices of this type exist, they can also create infra-* index pattern for same reason but cannot create audit-* .

After creating ClusterLogForwarder, CU have tried to create app and infra index patterns following the Viewing cluster logs in Kibana document, however, nothing displayed in the discovery page with index audit-*

Specify:

            Expected Results: Kibana should show the same logs as shown by the below command output:

oc adm node-logs ip-10-26-84-150.ap-southeast-1.compute.internal --path=kube-apiserver/audit.log > ./clusteraudit.log && oc adm node-logs ip-10-26-84-94.ap-southeast-1.compute.internal --path=kube-apiserver/audit.log >> ./clusteraudit.log && oc adm node-logs ip-10-26-85-58.ap-southeast-1.compute.internal --path=kube-apiserver/audit.log >> ./clusteraudit.log && cat ./clusteraudit.log && cat ./clusteraudit.log | jq '. | select((.objectRef.resource=="deployments") and (.objectRef.namespace=="<namespace>")) | .objectRef.namespace + " " + .objectRef.name + " " + .verb + " " + .user.username + " " + .stageTimestamp'

Desired Priority:   Trivial