Red Hat Bugzilla – Bug 1464589
[RFE] Compress older audit logs
Last modified: 2018-03-07 03:01:17 EST
Description of problem:
Starting with OpenShift v3.4, we have started enabling the audit logging feature in our master-config.yaml:
Currently, the previous day's logs are stored uncompressed. On a busy cluster, we have seen >1GB of logs generated in a day, which takes up considerable storage space. It would be great if audit logging gzipped these older log files automatically.
Version-Release number of selected component (if applicable):
Why not also use "maximumRetainedFiles: 20" so that you cap the total disk usage at 2 GB?
If instead we don't use an auditFilePath configuration, these AUDIT logs will go to stdout. If we then use fluentd to collect logs from the master nodes as well, then all these audit logs will land in Elasticsearch under the .operations indices.
We could then ask the logging team to parse the audit logs to decorate those logs with metadata derived from the logs themselves to make them easier to search and correlate in Elasticsearch.