Proposed title of this feature request

Manual configuration of audit logging

What is the nature and description of the request?

My customer currently uses logforwarding to move all the logs to splunk, when they configured the audit logging stack to use the default mode, see

https://docs.openshift.com/container-platform/4.7/security/audit-log-policy-config.html

which is the least amount of logging according to the docs.

But they are still see 30/40 gb's logging to splunk per openshift cluster.

It is not possible to define/configure/tweak the audit logging, there are only 3 presets available. They want to see an option in openshift so they can define their own policy.

Why does the customer need this? (List the business requirements here)

Currently, even on minimum (default) logging there seems to be issues with the amount of audit logs OCP 4.7 and above are shipping, not having an ability to alter what is being sent to Splunk is having a financial impact in terms of Splunk and storage costs.

List any affected packages or components.