XML

Word

Printable

Type: Task
Resolution: Done
Priority: Critical
Fix Version/s: Logging 5.2
Affects Version/s: Logging 5.2
Component/s: Logging
Labels:
- collab
- must-have

Epic Link:
Platform Audit Logs
Sprint:
devex docs #206 Aug 19-Sep 9
Story Points:
3
Release Note Text:
Undefined

Documentation use cases:

As a customer reviewing the release notes, I need to quickly understand the name and purpose of this enhancement.
As a cluster administrator searching for instructions, I need to clearly understand when, why, and how to collect OVN audit logs.

Here's an overview that will appear in both the release note and procedure topic.

Logs from "/ovn/acl-audit-log.log" are forwarded through the "audit" pipeline.
Log entries populate the hostname field with the node from which the log originated.
Log entries populate the level field.
Log entries populate the timestamp field.

Procedures:

How to enable/configure this functionality.
To configure this functional please follow these steps:
1) Create OCP cluster >= 4.8 version with networkType: OVNKubernetes
2) Deploy CLO
3) Enable audit logs in clusterlog forwarder.

How to verify that this functionality works.
Fluentd will collect OVN logs from nodes and forward it to end point like elastic. In case of elastic one can search audit-000001
index to verify document is present. Each of the document should have structured mentioned below in example log event.
How to troubleshoot if it doesn't work.
Please check the node where ovn logs are enabled. There should be a file /var/log/ovn/acl-audit-log.log. If this file is present then
check respective fluentd pod logs for troubleshooting.

References:

Add this new collection source and any lists of collection sources.

Example log event received at output:

{
  "@timestamp" : "2021-07-06T08:26:58..687000+00:00",
  "hostname":"ip.abc.iternal",
  "level":"info",
  "message" : "2021-07-06T08:26:58.687Z|00004|acl_log(ovn_pinctrl0)|INFO|name=\"verify-audit-logging_deny-all\", verdict=drop, severity=alert: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:12,dl_dst=0a:58:0a:81:02:14,nw_src=10.129.2.18,nw_dst=10.129.2.20,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0"
}

Notes

Consider reviewing the remaining audit pipelines as we may want to apply the same AC to all audit logs

Sample Message:

 2021-07-06T08:26:58.687Z|00004|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_deny-all", verdict=drop, severity=alert: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:12,dl_dst=0a:58:0a:81:02:14,nw_src=10.129.2.18,nw_dst=10.129.2.20,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0

documents

LOG-1377 Support collecting audit logs from additional, platform related locations

Closed

LOG-1526 Collect OVN Audit Logs

Closed

links to

openshift/openshift-docs#35445: RHDEVDOCS-3226 Logging 5.2 docs aggregated branch

Assignee:: Rolfe Dlugy-Hegwer

Reporter:: Rolfe Dlugy-Hegwer

QA Contact:: Anping Li

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2021/07/19 6:02 PM

Updated:: 2022/03/28 7:54 AM

Resolved:: 2021/08/30 9:36 AM

Details

Description

Notes

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates