-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
False
-
-
False
-
NEW
-
NEW
-
Before this fix, API audit logs collected from the management cluster used the management cluster's `cluster_id`. After this fix, API audit logs now incorporate the guest cluster's `cluster_id`.
-
Bug Fix
-
Log Collection - Sprint 242, Log Collection - Sprint 243, Log Collection - Sprint 244, Log Collection - Sprint 245, Log Collection - Sprint 246, Log Collection - Sprint 247, Log Collection - Sprint 248, Log Collection - Sprint 249, Log Collection - Sprint 268
-
Moderate
The cluster_id field is needed to collect logs in multi-cluster scenarios and identify the cluster of origin for all log tyeps:
- application
- audit (API audit and linux audit)
- infrastructure
The log forwarder already adds a cluster_id field to all log records, the cluster_id is taken from the local cluster API server.
API Audit logs on HCP clusters are a special case because they are collected by a forwarder running on the management cluster, so will get the management cluster_id instead of the hosted cluster_id.
When running in a HCP, the forwarder must use the hosted cluster_id from the HCP API server instead. CLO should detect this condition automatically without any user configuration changes needed.
- is cloned by
-
LOG-6881 [release-6.3] Forwarder must use hosted cluster_id on HCP cluster
-
- Closed
-
- is related to
-
LOG-4557 Node audit logs from /var/log/audit do not have an openshift cluster_id field.
-
- Closed
-
- links to
-
RHBA-2025:147444 Logging for Red Hat OpenShift - 6.2.1
- mentioned on