Uploaded image for project: 'Observability and Data Analysis Program'
  1. Observability and Data Analysis Program
  2. OBSDA-344

Audit log forwarding produces excessive data, configuration for prefiltering is needed

    XMLWordPrintable

Details

    • False
    • False
    • 100
    • 100% 100%
    • 0

    Description

      Proposed title of this feature request

      Manual configuration of audit logging

      What is the nature and description of the request?

      My customer currently uses logforwarding to move all the logs to splunk, when they configured the audit logging stack to use the default mode, see

      https://docs.openshift.com/container-platform/4.7/security/audit-log-policy-config.html

      which is the least amount of logging according to the docs.

      But they are still see 30/40 gb's logging to splunk per openshift cluster.

      It is not possible to define/configure/tweak the audit logging, there are only 3 presets available. They want to see an option in openshift so they can define their own policy.

      Why does the customer need this? (List the business requirements here)

      Currently, even on minimum (default) logging there seems to be issues with the amount of audit logs OCP 4.7 and above are shipping, not having an ability to alter what is being sent to Splunk is having a financial impact in terms of Splunk and storage costs.

      List any affected packages or components.

      Attachments

        1. splunk-get-overview
          68 kB
        2. splunk-get-verbs-objects
          54 kB
        3. splunk-totals-per-verb
          31 kB

        Issue Links

          is blocked by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. LOG-3982 Kube API-server audit log filtering policy

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is documented by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OBSDOCS-205 Kube API-server audit log filtering policy

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is duplicated by

          Outcome - Organizational objective focused on a measurable outcome. May be in support of larger strategic goals. OBSDA-342 To apply custom filter before forwarding audit logs externally

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is incorporated by

          Outcome - Organizational objective focused on a measurable outcome. May be in support of larger strategic goals. OBSDA-339 Filter and control size of audit logs

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. LOG-4462 Audit log forwarding produces excessive data, configuration for prefiltering is needed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • New

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. AUTH-6 Logs should contain login and login failure details

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. LOG-4029 Support STS Cloudwatch authentication for logging in Managed Clusters

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • To Do

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AUTH-209 Optional: Reduce verbosity of audit log

          • Undefined - Priority not specified.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. LOG-3727 The length of the syslog packet_size set to 4096 is not sufficient

          • Undefined - Priority not specified.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-568 Improve configuration of kube-apiserver audit logging

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-340 Provide the ability to output APIServer audit logs based on resource-type

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          links to

          Web Link KCS 5928241: Filtering the logs while forwarding to External Aggregator

          Activity

            People

              jamparke@redhat.com Jamie Parker
              rhn-support-andbartl Andy Bartlett
              Votes:
              18 Vote for this issue
              Watchers:
              40 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: