In 6.x, we miss one bug https://issues.redhat.com/browse/LOG-6484 . The root cause is we only validate the logType and vector.toml.  But we didn't validate using log content

How to fix this?

Verify logs content for all audit log sources.

• host audit               /var/log/audit/audit.log
• kube-audit              /var/log/kube-apiserver/audit.log
• openshift-audit      /var/log/oauth-apiserver/audit.log
                                  /var/log/openshift-apiserver/audit.log
                                  /var/log/oauth-server/audit.log
• ovn-audit                /var/log/ovn/acl-audit-log.log    

Get the log content using "oc adm node-logs"
oc adm node-logs --role=master --path=/oauth-server/audit.log

Validate logs by auditID

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"ded50101-cb7f-4234-9ccf-88a856e8102e","stage":"RequestReceived","requestURI":"/login/kube:admin","verb":"post","user":{"username":"system:anonymous","groups":["system:unauthenticated"]},"sourceIPs":["10.128.2.7"],"userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","requestReceivedTimestamp":"2024-12-16T07:37:41.540767Z","stageTimestamp":"2024-12-16T07:37:41.540767Z"}