-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
False
-
None
-
False
-
NEW
-
OBSDA-344 - Audit log forwarding produces excessive data, configuration for prefiltering is needed
-
NEW
-
Log Collection - Sprint 242, Log Collection - Sprint 243, Log Collection - Sprint 244, Log Collection - Sprint 245, Log Collection - Sprint 246, Log Collection - Sprint 247, Log Collection - Sprint 248, Log Collection - Sprint 249
The cluster_id field is needed to collect logs in multi-cluster scenarios and identify the cluster of origin for all log tyeps:
- application
- audit (API audit and linux audit)
- infrastructure
The log forwarder already adds a cluster_id field to all log records, the cluster_id is taken from the local cluster API server.
API Audit logs on HCP clusters are a special case because they are collected by a forwarder running on the management cluster, so will get the management cluster_id instead of the hosted cluster_id.
When running in a HCP, the forwarder must use the hosted cluster_id from the HCP API server instead. CLO should detect this condition automatically without any user configuration changes needed.
- is related to
-
-
- Closed
-
- links to
- mentioned on
