-
Bug
-
Resolution: Unresolved
-
Normal
-
Logging 6.0.z, Logging 6.1.z
-
False
-
None
-
False
-
NEW
-
NEW
-
Bug Fix
-
-
-
Moderate
Description of problem:
When it's configured to log forward to the Red Hat Managed Elasticsearch, the index pattern supported is "app-", "infra-" and "audit-" as observed in the code [0].
Reading the upgrade doc for when "Forwarding to Red Hat Managed Elasticsearch" [1]", it's observed that the "index" is set to be:
index: '{.openshift.label.my_log_index||"app"}-write' # (3)
And checking the API with `$ oc explain obsclf.spec.outputs.elasticsearch.index
`, it's possible to read:
GROUP: observability.openshift.io
KIND: ClusterLogForwarder
VERSION: v1
FIELD: index <string>
DESCRIPTION:
Index is the index for the logs. This supports template syntax to allow
dynamic per-event values.
The Index can be a combination of static and dynamic values consisting of
field paths followed by `||` followed by another field path or a static
value.
A dynamic value is encased in single curly brackets `{}` and MUST end with a
static fallback value separated with `||`.
Static values can only contain alphanumeric characters along with dashes,
underscores, dots and forward slashes.
Example:
1. foo-{.bar||"none"}
2. {.foo||.bar||"missing"}
3.
foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
The previous should be valid when log forwarding to a not Red Hat Managed Elasticsearch, but when log forwarding to the Red Hat Managed Elasticsearch, if it's implemented as described, it will be received the error:
2025-01-27T20:58:45.812354Z ERROR sink{component_kind="sink" component_id=output_default_elasticsearch component_type=elasticsearch}: vector::sinks::util::retries: Not retriable; dropping the request. reason="error type: index_not_found_exception, reason: no such index and [action.auto_create_index] contains [-*-write] which forbids automatic creation of the index" internal_log_rate_limit=true
This error is coming from the hard coded verification [0].
Version-Release number of selected component (if applicable):
Logging 6.y
How reproducible:
Always
Steps to Reproduce:
- Have configured and running Logging 5 log forwarding to the Red Hat Managed Elasticsearch
- Upgrade to Logging 6 and set the index in the clusterLogForwarder as documented in [1]
Actual results:
It fails to deliver the logs with the error:
2025-01-27T20:58:45.812354Z ERROR sink{component_kind="sink" component_id=output_default_elasticsearch component_type=elasticsearch}: vector::sinks::util::retries: Not retriable; dropping the request. reason="error type: index_not_found_exception, reason: no such index and [action.auto_create_index] contains [-*-write] which forbids automatic creation of the index" internal_log_rate_limit=true
Expected results:
Able to deliver the logs to the Red Hat Managed Elasticsearch
- having in [1] a good example and explanation similar to the described in the resolution in the article [2]
- better description when reviewing the fields using `$ oc explain obsclf.spec.outputs.elasticsearch.index` for when log forwarding to the Red Hat Managed Elasticsearch for knowing about the limitation with the name of the indices
Additional info:
A valid and complete example for configuring the clusterLogForwarder to deliver the logs to the Red Hat Managed Elasticsearch is present in the article [2].
Documentation bug OBSDOCS-1645 [3] opened for modifying the example in the doc.
[0] https://github.com/ViaQ/elasticsearch-openshift-ingest-plugin/blob/0db356e78766d678ca4d1e4ecb27d539fd29910b/src/main/java/org/elasticsearch/ingest/openshift/OpenshiftIndicesUtil.java#L60
[1] https://github.com/openshift/cluster-logging-operator/blob/master/docs/administration/upgrade/v6.0_changes.adoc#forwarding-to-red-hat-managed-elasticsearch
[2] https://access.redhat.com/solutions/7105074
[3] https://issues.redhat.com/browse/OBSDOCS-1645
