Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-20755

Data plane audit logs not included in journal preventing forwarding to centralized logging

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhos-18.0.11
    • edpm-ansible
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • None
    • Moderate

      To Reproduce Steps to reproduce the behavior:

      1. Enable Logging on the Control Plane.
      2. Enable Logging on the Data Plane.
      3. In the ClusterLogForwarder CR, configure the syslog receiver in the input and set the output to either Loki or a syslog server.
      4. The Data Plane audit logs are not forwarded to Loki or the syslog server.

      Expected behavior

      • The Data Plane audit logs can be forwarded to Loki or syslog server and viewed.

      Bug impact

      • It affects customers who want to manage the audit logs of Data Plane nodes in the production environment.

      Known workaround

      • systemd-journald can collect audit logs by enabling systemd-journald-audit.socket. This socket is not started by default because it is not required by systemd-journald.
      1. systemd-journald-audit.socket doesn't start by default because it's not required by systemd-journald.
      [root@central-controller-0 ~]# grep socket /usr/lib/systemd/system/systemd-journald.service|grep -v ^#
Requires=systemd-journald.socket
After=systemd-journald.socket systemd-journald-dev-log.socket syslog.socket
Sockets=systemd-journald.socket systemd-journald-dev-log.socket
      1. Add dependency to systemd-journald-audit.socket.
      [root@central-controller-0 ~]# mkdir  /etc/systemd/system/systemd-journald.service.d/
[root@central-controller-0 ~]# cat << EOF > /etc/systemd/system/systemd-journald.service.d/collect-audit.conf
[Unit]
Requires=systemd-journald.socket systemd-journald-audit.socket
After=systemd-journald.socket systemd-journald-dev-log.socket syslog.socket systemd-journald-audit.socket
[Service]
Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
EOF 
      1. Restart systemd-journald
      [root@central-controller-0 ~]# systemctl daemon-reload
[root@central-controller-0 ~]# systemctl restart systemd-journald
      1. systemd-journald-audit.socket starts by the dependency.
      [root@central-controller-0 ~]# systemctl status systemd-journald-audit.socket
● systemd-journald-audit.socket - Journal Audit Socket
     Loaded: loaded (/usr/lib/systemd/system/systemd-journald-audit.socket; static)
     Active: active (running) since Thu 2025-10-09 16:10:22 JST; 7s ago
      Until: Thu 2025-10-09 16:10:22 JST; 7s ago
   Triggers: ● systemd-journald.service
       Docs: man:systemd-journald.service(8)
             man:journald.conf(5)
     Listen: audit 1 (Netlink)
     CGroup: /system.slice/systemd-journald-audit.socket 
      1. Audit logs can be viewed in journalctl
      [root@central-controller-0 ~]#  journalctl _TRANSPORT=audit
Oct 09 16:10:22 central-controller-0.yatanaka.example.com audit[1]: EVENT_LISTENER pid=1 uid=0 auid=4294967295 tty=(none) ses=4294967295 subj=system_u:system_r:init_t:s0 comm="systemd" exe="/usr/lib/systemd/sys>
Oct 09 16:10:22 central-controller-0.yatanaka.example.com audit: BPF prog-id=277 op=LOAD
Oct 09 16:10:22 central-controller-0.yatanaka.example.com audit: BPF prog-id=278 op=LOAD
Oct 09 16:10:22 central-controller-0.yatanaka.example.com audit: BPF prog-id=279 op=LOAD 
      1. Audit logs can also be viewed from the OCP web console under Observe / Logs.

        1. audit_log_ocp_console.png
          audit_log_ocp_console.png
          86 kB

              Unassigned Unassigned
              rhn-support-tasakura Takemi Asakura
              rhos-dfg-df
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: