Bug 1464589

Summary: [RFE] Compress older audit logs
Product: OpenShift Container Platform Reporter: bmorriso
Component: RFEAssignee: Marc Curry <mcurry>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.4.1CC: aos-bugs, boris.ruppert, jokerman, mmccomas, nraghava, pportant, scuppett, tkatarki
Target Milestone: ---Keywords: OpsBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-12 11:55:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bmorriso 2017-06-23 20:50:16 UTC 
Description of problem:

Starting with OpenShift v3.4, we have started enabling the audit logging feature in our master-config.yaml:

auditConfig:
  enabled: true
  auditFilePath: /var/log/openshift-master-audit.log
  maximumFileRetentionDays: 14
  maximumFileSizeMegabytes: 100

Currently, the previous day's logs are stored uncompressed. On a busy cluster, we have seen >1GB of logs generated in a day, which takes up considerable storage space. It would be great if audit logging gzipped these older log files automatically. 

Version-Release number of selected component (if applicable):
v3.4.1.18

How reproducible:
always
Comment 1 Peter Portante 2017-09-01 03:29:10 UTC 
Why not also use "maximumRetainedFiles: 20" so that you cap the total disk usage at 2 GB?
Comment 2 Peter Portante 2017-09-01 03:32:12 UTC 
If instead we don't use an auditFilePath configuration, these AUDIT logs will go to stdout.  If we then use fluentd to collect logs from the master nodes as well, then all these audit logs will land in Elasticsearch under the .operations indices.

We could then ask the logging team to parse the audit logs to decorate those logs with metadata derived from the logs themselves to make them easier to search and correlate in Elasticsearch.
Comment 5 Kirsten Newcomer 2019-06-12 11:55:23 UTC 
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.