Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4218

Vector fails to run when configuring syslog forwarding for audit log

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this update, forwarding logs with the vector collector and naming a pipeline in the ClusterLogForwarder instance 'audit', 'application' or 'infrastructure' resulted in collector pods staying in the CrashLoopBackOff state with the following error in the collector log: "ERROR vector::cli: Configuration error. error=redefinition of table `transforms.audit` for key `transforms.audit`". After this update, pipeline names no longer clash with reserved input names and pipelines can be named 'audit', 'application' or 'infrastructure'.
      Show
      Before this update, forwarding logs with the vector collector and naming a pipeline in the ClusterLogForwarder instance 'audit', 'application' or 'infrastructure' resulted in collector pods staying in the CrashLoopBackOff state with the following error in the collector log: "ERROR vector::cli: Configuration error. error=redefinition of table `transforms.audit` for key `transforms.audit`". After this update, pipeline names no longer clash with reserved input names and pipelines can be named 'audit', 'application' or 'infrastructure'.
    • Bug Fix

      Description of problem:
      Vector fails to run with the following error when configuring syslog forwarding for audit log.

      $ oc logs -n openshift-logging collector-xxxxx
      Defaulted container "collector" out of: collector, logfilesmetricexporter
      2023-05-16T06:31:45.093712Z ERROR vector::cli: Configuration error. error=redefinition of table `transforms.audit` for key `transforms.audit` at line 297 column 1
      Version-Release number of selected component (if applicable):
      OpenShift v4.13.0-rc.8
      ClusterLogging Operator v5.7.0

      How reproducible:
      Always

      Steps to Reproduce:
      Step1. Deploy syslog server on OCP.

      Step2. Install OpenShift Logging 5.7.0

      Step3. Apply the following ClusterLogging object as to deploy collector pods with a vector image.

      apiVersion: logging.openshift.io/v1
      kind: ClusterLogging
      metadata:
        name: instance
        namespace: openshift-logging
      spec:
        collection:
          type: vector
        managementState: Managed

      Step4. Apply the following ClusterLogForwarder object as to enable syslog forwarding.

      apiVersion: "logging.openshift.io/v1"
      kind: ClusterLogForwarder
      metadata:
        name: instance
        namespace: openshift-logging
      spec:
        outputs:
        - name: external-rsyslog-infra
          type: syslog
          url: '<SYSLOG-URL>'
          syslog:
            addLogSource: true
            rfc: RFC3164
            facility: local0
            severity: informational
            payloadKey: message
            tag: openshift-logging-infra
        - name: external-rsyslog-app
          type: syslog
          url: '<SYSLOG-URL>'
          syslog:
            addLogSource: true
            rfc: RFC3164
            facility: local1
            severity: informational
            payloadKey: message
            tag: openshift-logging-app
        - name: external-rsyslog-audit
          type: syslog
          url: '<SYSLOG-URL>'
          syslog:
            addLogSource: true
            rfc: RFC3164
            facility: local2
            severity: informational
            tag: openshift-logging-audit
        pipelines:
        - inputRefs:
          - infrastructure
          name: infra
          outputRefs:
          - external-rsyslog-infra
        - inputRefs:
          - application
          name: app
          outputRefs:
          - external-rsyslog-app
        - inputRefs:
          - audit
          name: audit
          outputRefs:
          - external-rsyslog-audit

      Step5. Check if collector pod can work.

       

      $ oc get pods -n openshift-logging
      Actual results:
      Collector pod got failed as follows.
      $ oc get pods -n openshift-logging
      NAME                                        READY   STATUS             RESTARTS      AGE
      cluster-logging-operator-<xxxxx>   1/1     Running            0             22h
      collector-xxxxx                             1/2     CrashLoopBackOff   4 (21s ago)   106s
      collector-xxxxx                             1/2     CrashLoopBackOff   4 (23s ago)   106s
      collector-xxxxx                             1/2     Error              4 (62s ago)   107s
      ...
      

      Vector failed with "redefinition of table `transforms.audit`" error.

       

      $ oc logs -n openshift-logging collector-xxxxx
      Defaulted container "collector" out of: collector, logfilesmetricexporter
      2023-05-16T06:31:45.093712Z ERROR vector::cli: Configuration error. error=redefinition of table `transforms.audit` for key `transforms.audit` at line 297 column 1
      "transforms.audit" has been defined twice in vector.toml.
      $ oc get secret collector-config -n openshift-logging -o jsonpath='{.data.vector\.toml}' | base64 -d | grep transforms.audit
      [transforms.audit]
      [transforms.audit]
      

      Expected results:
      Collector pod can work.
      Then logs are saved under /tmp of syslog pod as follows.

      $ oc exec -it -n syslog deployment/<SYSLOG-DEPLOYMENT-NAME> – bash -c "ls -l /tmp/openshift*.log"
      rw-rr-. 1 1000760000 root 1370804 May 16 07:35 /tmp/openshift-app-container.log
      rw-rr-. 1 1000760000 root 1763318 May 16 07:35 /tmp/openshift-audit.log
      rw-rr-. 1 1000760000 root 2023880 May 16 07:35 /tmp/openshift-infra-container.log
      rw-rr-. 1 1000760000 root  199121 May 16 07:35 /tmp/openshift-journal.log

            syedriko_sub@redhat.com Sergey Yedrikov
            rhn-support-kbharti Kabir Bharti
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: