-
Bug
-
Resolution: Unresolved
-
Normal
-
Logging 6.4.1
-
Incidents & Support
-
False
-
-
False
-
NEW
-
NEW
-
-
Bug Fix
-
-
-
Logging - Sprint 283, Logging - Sprint 284
-
Important
Description of problem:
When it's pruned fields from audit logs with a configuration like:
apiVersion: observability.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: collector
namespace: openshift-logging
spec:
serviceAccount:
name: collector
filters:
- name: remove-unwanted-fields
type: prune
prune:
in:
- .requestReceivedTimestamp
- .apiVersion
- .requestURI
- .userAgent
- .stage
- .stageTimestamp
outputs:
- name: ocp-lokistack
type: lokiStack
lokiStack:
target:
name: logging-loki
namespace: openshift-logging
authentication:
token:
from: serviceAccount
tls:
ca:
key: service-ca.crt
configMapName: openshift-service-ca.crt
pipelines:
- name: audit-logs
inputRefs:
- audit
filterRefs: ["remove-unwanted-fields"]
outputRefs:
- ocp-lokistack
Version-Release number of selected component (if applicable):
Logging 6.4.1
Loki 6.4.1
How reproducible:
Always
Steps to Reproduce:
- Create a ClusterLogForwarder as the shared in the section of this ticket "Description of problem"
Actual results:
Wait some minutes and review going to the "OpenShift console > Observe > Logs" and querying for the audit logs that the fields expected to be pruned are present
Expected results:
Fields are pruned
Additional info:
Workaround
Replace from the filter:
- .requestReceivedTimestamp
- .apiVersion
- .requestURI
- .userAgent
- .stage
- .stageTimestamp
to be
- .structured.requestReceivedTimestamp
- .structured.apiVersion
- .structured.requestURI
- .structured.userAgent
- .structured.stage
- .structured.stageTimestamp
