Uploaded image for project: 'Observability and Data Analysis Program'
  1. Observability and Data Analysis Program
  2. OBSDA-344

Audit log forwarding produces excessive data, configuration for prefiltering is needed

XMLWordPrintable

    • False
    • False
    • 0% To Do, 0% In Progress, 100% Done

      Proposed title of this feature request

      Manual configuration of audit logging

      What is the nature and description of the request?

      My customer currently uses logforwarding to move all the logs to splunk, when they configured the audit logging stack to use the default mode, see

      https://docs.openshift.com/container-platform/4.7/security/audit-log-policy-config.html

      which is the least amount of logging according to the docs.

      But they are still see 30/40 gb's logging to splunk per openshift cluster.

      It is not possible to define/configure/tweak the audit logging, there are only 3 presets available. They want to see an option in openshift so they can define their own policy.

      Why does the customer need this? (List the business requirements here)

      Currently, even on minimum (default) logging there seems to be issues with the amount of audit logs OCP 4.7 and above are shipping, not having an ability to alter what is being sent to Splunk is having a financial impact in terms of Splunk and storage costs.

      List any affected packages or components.

        1. splunk-get-overview
          68 kB
          Andy Bartlett
        2. splunk-get-verbs-objects
          54 kB
          Andy Bartlett
        3. splunk-totals-per-verb
          31 kB
          Andy Bartlett

            jamparke@redhat.com Jamie Parker
            rhn-support-andbartl Andy Bartlett
            Votes:
            18 Vote for this issue
            Watchers:
            40 Start watching this issue

              Created:
              Updated:
              Resolved: