Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3627

Forwarded logs are being truncated.

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Bug Fix

      Description of problem:

      The QRadar Integrations development team is currently working on developing an integration for auditing and infrastructure logs from Red Hat OpenShift. Having this integration has been identified as a requirement for allowing QRadar images for IBM Cloud VPC to support Fedramp.

      Our developer (Vaibhav Gupta) has been following the steps outlined in https://docs.openshift.com/container-platform/4.12/logging/cluster-logging-external.html to forward the log to our QRadar boxes. We've noticed that a large number of the logs arrive truncated (from the beginning of the payloads). I've attached qradar1.1.syslog, qradar1.2.syslog and qradar1.3.syslog to show this behaviour.

      We do receive some logs that are complete though. I've attached qradar_audit_logs.syslog and qradar_infr_logs.syslog to show this behaviour.

      Vaibhav used WireShark and was able to confirm that the payloads were truncated before they reached QRadar. I've included syslog-traffic-4.pcap and syslog-traffic-5.pcap to show this behaviour.

      We've been in email conversations with Jeff Cantrill (jcantril@redhat.com) and Vimal Kumar (vimalkum@redhat.com) about this issue and it was suggested that we open a ticket to address this. 

      Vimal also joined a call with Vaibhav to verify that the log forwarder and our environment was configured properly. There were no issues found during this call. 

       

       

        1. qradar1.1.syslog
          2 kB
        2. qradar1.2.syslog
          0.5 kB
        3. qradar1.3.syslog
          2 kB
        4. qradar_audit_logs.syslog
          1 kB
        5. qradar_infra_logs.syslog
          0.8 kB
        6. syslog-traffic-4.pcap
          40 kB
        7. syslog-traffic-5.pcap
          8 kB

              Unassigned Unassigned
              dane.frenette@ibm.com Dane Frenette (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: