-
Bug
-
Resolution: Done
-
Normal
-
Logging 5.7.0
-
False
-
None
-
False
-
NEW
-
VERIFIED
-
-
Bug Fix
-
-
Description of problem:
Vector fails to run with the following error when configuring syslog forwarding for audit log.
$ oc logs -n openshift-logging collector-xxxxx Defaulted container "collector" out of: collector, logfilesmetricexporter 2023-05-16T06:31:45.093712Z ERROR vector::cli: Configuration error. error=redefinition of table `transforms.audit` for key `transforms.audit` at line 297 column 1 Version-Release number of selected component (if applicable): OpenShift v4.13.0-rc.8 ClusterLogging Operator v5.7.0
How reproducible:
Always
Steps to Reproduce:
Step1. Deploy syslog server on OCP.
Step2. Install OpenShift Logging 5.7.0
Step3. Apply the following ClusterLogging object as to deploy collector pods with a vector image.
apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: instance namespace: openshift-logging spec: collection: type: vector managementState: Managed
Step4. Apply the following ClusterLogForwarder object as to enable syslog forwarding.
apiVersion: "logging.openshift.io/v1" kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: outputs: - name: external-rsyslog-infra type: syslog url: '<SYSLOG-URL>' syslog: addLogSource: true rfc: RFC3164 facility: local0 severity: informational payloadKey: message tag: openshift-logging-infra - name: external-rsyslog-app type: syslog url: '<SYSLOG-URL>' syslog: addLogSource: true rfc: RFC3164 facility: local1 severity: informational payloadKey: message tag: openshift-logging-app - name: external-rsyslog-audit type: syslog url: '<SYSLOG-URL>' syslog: addLogSource: true rfc: RFC3164 facility: local2 severity: informational tag: openshift-logging-audit pipelines: - inputRefs: - infrastructure name: infra outputRefs: - external-rsyslog-infra - inputRefs: - application name: app outputRefs: - external-rsyslog-app - inputRefs: - audit name: audit outputRefs: - external-rsyslog-audit
Step5. Check if collector pod can work.
$ oc get pods -n openshift-logging
Actual results:
Collector pod got failed as follows.
$ oc get pods -n openshift-logging
NAME READY STATUS RESTARTS AGE
cluster-logging-operator-<xxxxx> 1/1 Running 0 22h
collector-xxxxx 1/2 CrashLoopBackOff 4 (21s ago) 106s
collector-xxxxx 1/2 CrashLoopBackOff 4 (23s ago) 106s
collector-xxxxx 1/2 Error 4 (62s ago) 107s
...
Vector failed with "redefinition of table `transforms.audit`" error.
$ oc logs -n openshift-logging collector-xxxxx Defaulted container "collector" out of: collector, logfilesmetricexporter 2023-05-16T06:31:45.093712Z ERROR vector::cli: Configuration error. error=redefinition of table `transforms.audit` for key `transforms.audit` at line 297 column 1 "transforms.audit" has been defined twice in vector.toml. $ oc get secret collector-config -n openshift-logging -o jsonpath='{.data.vector\.toml}' | base64 -d | grep transforms.audit [transforms.audit] [transforms.audit]
Expected results:
Collector pod can work.
Then logs are saved under /tmp of syslog pod as follows.
$ oc exec -it -n syslog deployment/<SYSLOG-DEPLOYMENT-NAME> – bash -c "ls -l /tmp/openshift*.log"
rw-rr-. 1 1000760000 root 1370804 May 16 07:35 /tmp/openshift-app-container.log
rw-rr-. 1 1000760000 root 1763318 May 16 07:35 /tmp/openshift-audit.log
rw-rr-. 1 1000760000 root 2023880 May 16 07:35 /tmp/openshift-infra-container.log
rw-rr-. 1 1000760000 root 199121 May 16 07:35 /tmp/openshift-journal.log