Bug 1809755 - Forwarding audit logs to an external log stash
Summary: Forwarding audit logs to an external log stash
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Jeff Cantrill
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-03 20:01 UTC by Radomir Ludva
Modified: 2020-08-13 20:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-03 23:02:22 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Radomir Ludva 2020-03-03 20:01:21 UTC
Description of problem:
We are able to configure log forwarding for fluentd, using the 'forward' output plugin. However, it seems the external logstash is only receiving "bad-request" with empty payload/message:
{
       "headers" => {
            "http_accept" => nil,
           "request_path" => "/bad-request",
           "http_version" => "HTTP/1.0",
         "request_method" => "GET",
              "http_host" => nil,
        "http_user_agent" => nil
    },
    "@timestamp" => 2020-02-25T09:09:02.459Z,
      "@version" => "1",
          "host" => "XX.XXX.XX.XX",     // removed for this bugzilla issue
       "message" => ""
} 

Is it possible to set a format/content type like JSON? 


Expected results:
Audit logs are forwarded to external log stash.

Comment 4 Christian Heidenreich 2020-03-03 20:27:18 UTC
Can you provide us with the generated fluent.conf. It would be part of the fluentd configmap in the openshift-logging namespace.

Comment 5 Christian Heidenreich 2020-03-03 23:02:22 UTC
Looking closer into the issue, it seems that fluentd's forwarder was used but this does not work with logstash. There is currently no way to send it to logstash but if there is no particular reason, you could just forward it directly to Elastsearch. Closing this issue.


Note You need to log in before you can comment on or make changes to this bug.