Bug 1809755

Summary: Forwarding audit logs to an external log stash
Product: OpenShift Container Platform Reporter: Radomir Ludva <rludva>
Component: LoggingAssignee: Jeff Cantrill <jcantril>
Status: CLOSED NOTABUG QA Contact: Anping Li <anli>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: aos-bugs, cvogel
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-03 23:02:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Radomir Ludva 2020-03-03 20:01:21 UTC 
Description of problem:
We are able to configure log forwarding for fluentd, using the 'forward' output plugin. However, it seems the external logstash is only receiving "bad-request" with empty payload/message:
{
       "headers" => {
            "http_accept" => nil,
           "request_path" => "/bad-request",
           "http_version" => "HTTP/1.0",
         "request_method" => "GET",
              "http_host" => nil,
        "http_user_agent" => nil
    },
    "@timestamp" => 2020-02-25T09:09:02.459Z,
      "@version" => "1",
          "host" => "XX.XXX.XX.XX",     // removed for this bugzilla issue
       "message" => ""
} 

Is it possible to set a format/content type like JSON? 


Expected results:
Audit logs are forwarded to external log stash.
Comment 4 Christian Heidenreich 2020-03-03 20:27:18 UTC 
Can you provide us with the generated fluent.conf. It would be part of the fluentd configmap in the openshift-logging namespace.
Comment 5 Christian Heidenreich 2020-03-03 23:02:22 UTC 
Looking closer into the issue, it seems that fluentd's forwarder was used but this does not work with logstash. There is currently no way to send it to logstash but if there is no particular reason, you could just forward it directly to Elastsearch. Closing this issue.