Bug 1536680
| Summary: | [RFE] Audit logs accessible via WebUI | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Eric Jones <erjones> |
| Component: | RFE | Assignee: | Jeff Cantrill <jcantril> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Xiaoli Tian <xtian> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 3.6.1 | CC: | aos-bugs, bandrade, clichybi, erjones, fabio.martinelli, jcantril, jokerman, mmccomas, mtaru, pportant, rpuccini, ssadhale, sspeiche, tkatarki, tmanor, vwalek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-05-16 19:40:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Eric Jones
2018-01-19 22:23:08 UTC
Currently, it is possible to enable docker audit logs to be sent to the EFK stack. These logs end up in the operations indices which means anyone with what is deemed cluster admin access 'oadm policy can-i view pod/logs -n default' is able to view them. There is more work to collect all the audit logs as there currently is a normalization process specifically for making the logs structured in Elastic. I don't know how that normalization applies to other audit entries. There is also additional resource consumption to consider as well if we want these logs to go to operations or if maybe they should be indexed some place else. To clarify, the request here is to capture ALL audit logs correct? Hey Jeff, Sorry for the lag in response. I just reviewed all of the cases to be certain, but this RFE is specifically referring to the OpenShift Audit logs. The ones that identify which user did what OpenShift command and from where. This is explained a bit more here [0] if you need additional reference to which audit log we mean to ask for in kibana. [0] https://access.redhat.com/solutions/1748893 There is no changes in the roadmap regarding audit logging and will not be available in 3.10 or 3.11 other then what is already implemented Folks this ask should be satisfied with the following: https://docs.openshift.com/container-platform/3.11/install_config/aggregate_logging.html openshift_logging_fluentd_audit_container_engine When openshift_logging_fluentd_audit_container_engine is set to true, the audit log of the container engine is collected and stored in ES. Enabling this variable allows the EFK to watch the specified audit log file or the default /var/log/audit.log file, collects audit information for the container engine for the platform, then puts it into Kibana. openshift_logging_fluentd_audit_file Location of audit log file. The default is /var/log/audit/audit.log. Enabling this variable allows the EFK to watch the specified audit log file or the default /var/log/audit.log file, collects audit information for the container engine for the platform, then puts it into Kibana. openshift_logging_fluentd_audit_pos_file Location of the Fluentd in_tail position file for the audit log file. The default is /var/log/audit/audit.log.pos. Enabling this variable allows the EFK to watch the specified audit log file or the default /var/log/audit.log file, collects audit information for the container engine for the platform, then puts it into Kibana. If this does not work then please file a bug. If it does not work as per expectation, please tell us exactly how you want the behavior enhanced. Also, please send an email to me (tkatarki) before churning here. Closing this RFE. |