Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1921263

Summary:	Using legacy Log Forwarding is not sending logs to the internal Elasticsearch
Product:	OpenShift Container Platform	Reporter:	Jeff Cantrill <jcantril>
Component:	Logging	Assignee:	Jeff Cantrill <jcantril>
Status:	CLOSED NEXTRELEASE	QA Contact:	Anping Li <anli>
Severity:	high	Docs Contact:	Rolfe Dlugy-Hegwer <rdlugyhe>
Priority:	medium
Version:	4.5	CC:	anli, aos-bugs, dkulkarn, fan-wxa, jcantril, jniu, mfuruta, mhatanak, naygupta, ocasalsa, rdlugyhe, rh-container, sasagarw
Target Milestone:	---
Target Release:	4.7.z
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	logging-core
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:	* Previously, if you enabled legacy log forwarding, logs were not sent to managed storage. This issue occurred because the generated log forwarding configuration improperly chose between either log forwarding or legacy log forwarding. The current release fixes this issue. If the `ClusterLogging` CR defines a `logstore`, logs are sent to managed storage. Additionally, if legacy log forwarding is enabled, logs are sent to legacy log forwarding regardless of whether managed storage is enabled. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1921263[1921263])	Story Points:	---
Clone Of:	1911477
Clones:	1928949 (view as bug list)		Environment:
Last Closed:	2021-03-15 16:08:56 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1905615, 1928949

Description Jeff Cantrill 2021-01-27 19:47:05 UTC

+++ This bug was initially created as a clone of Bug #1911477 +++

[Description of problem]
In previous version, for example 3.x and until 4.3. When using secure_forward following the documentation [1] the logs were sent to the internal Elasticsearch and to the external instance.

Now, in 4.5 it's only sending to the external instance and it doesn't send more to the internal Elasticsearch.

Verifying the documentation, it has not changed [2]. Then, it's expected that it works like it did in the past:

- Sending logs to the internal Elasticsearch
- Sending logs to the external instance configured in the secure-forward configmap

One thing has changed in the configuration generated for fluentd. In 4.3 the fluentd configuration after configuring secure_forward following the documentation is like this:

~~~
$ oc rsh <fluentd pod> cat /etc/fluent/fluent.conf
...
<label @_LOGS_APP>
        <match **>
        @type copy

                <store>
                @type relabel
                @label @CLO_DEFAULT_APP_PIPELINE
        </store>

                <store>
                @type relabel
                @label @_LEGACY_SECUREFORWARD
        </store>

</match>
<label @_LOGS_INFRA>
        <match **>
        @type copy

                <store>
                @type relabel
                @label @CLO_DEFAULT_INFRA_PIPELINE
        </store>

                <store>
                @type relabel
                @label @_LEGACY_SECUREFORWARD
        </store>

</match>
</label>

# Relabel specific pipelines to multiple, outputs (e.g. ES, kafka stores)

<label @CLO_DEFAULT_APP_PIPELINE>
        <match **>
        @type copy

                <store>
                @type relabel
                @label @CLO_DEFAULT_OUTPUT_ES
        </store>
</match>
</label>

<label @CLO_DEFAULT_INFRA_PIPELINE>
        <match **>
        @type copy

                <store>
                @type relabel
                @label @CLO_DEFAULT_OUTPUT_ES
        </store>
</match>
</label>
...
~~~

As we can see above, it's sending to the CLO_DEFAULT and to the LEGACY_SECUREFORWARD, but, the configuration in OCP 4.5 generated after configuring the secure forward is like this:

~~~
$ oc rsh <fluentd pod> cat /etc/fluent/fluent.conf
...
<label @_LOGS_APP>
  <match **>
    @type copy


    <store>
      @type relabel
      @label @_LEGACY_SECUREFORWARD
    </store>

  </match>
</label>
<label @_LOGS_AUDIT>
  <match **>
    @type copy


    <store>
      @type relabel
      @label @_LEGACY_SECUREFORWARD
    </store>

  </match>
</label>
<label @_LOGS_INFRA>
  <match **>
    @type copy


    <store>
      @type relabel
      @label @_LEGACY_SECUREFORWARD
    </store>

  </match>
</label>
...
~~~

As we can see, it's only relabeling like "_LEGACY_SECUREFORWARD", but it's not possible to see the relabeling to CLO_DEFAULT_XXX.


[Version-Release number of selected component (if applicable):]

Version used for OCP 4.5
~~~
$ oc version
Client Version: 4.5.23
Server Version: 4.5.23
$ oc get csv -n openshift-logging
NAME                                           DISPLAY                  VERSION                 REPLACES   PHASE
clusterlogging.4.5.0-202012120433.p0           Cluster Logging          4.5.0-202012120433.p0              Failed
elasticsearch-operator.4.5.0-202012120433.p0   Elasticsearch Operator   4.5.0-202012120433.p0              Succeeded
~~~

Version used for OCP 4.3:
~~~
$ oc version
Client Version: 4.3.38
Server Version: 4.3.40
Kubernetes Version: v1.16.2+853223d
$ oc get csv -n openshift-logging
NAME                                            DISPLAY                  VERSION                  REPLACES   PHASE
clusterlogging.4.3.40-202010141211.p0           Cluster Logging          4.3.40-202010141211.p0              Succeeded
elasticsearch-operator.4.3.40-202010141211.p0   Elasticsearch Operator   4.3.40-202010141211.p0              Succeeded
~~~

[How reproducible]
Always


Steps to Reproduce:
1. Install Cluster Logging
2. Configure secure_forward
3. Logs are not sent to the internal Elasticsearch

[Actual results]
Logs are not sent to the internal Elasticsearch

[Expected results]
Logs should be sent to the internal Elasticsearch at the same time that to the external instance configured in the secure-forward configmap


We are aware that this is deprecated, but in 4.3 the documentation is saying the same that in 4.4 and 4.5 and it was working in 4.3 and previous versions, the same that in 3.x. Then, it's expected that it continues working and the logs are sent in parallel to the internal Elasticsearch, to the external instance configured.


[1] https://docs.openshift.com/container-platform/4.3/logging/config/cluster-logging-external.html
[2] https://docs.openshift.com/container-platform/4.3/logging/config/cluster-logging-external.html#cluster-logging-collector-fluentd_cluster-logging-external

Comment 2 Anping Li 2021-02-19 04:50:20 UTC

The bug wasn't merged into 5.0

Comment 3 Jeff Cantrill 2021-02-25 19:31:54 UTC

Moving to ON_QA as we are excluded from ART at this time

Comment 4 Jeff Cantrill 2021-02-25 20:36:43 UTC

Please verify this issue against "master" .  Backporting against 5.0 here https://github.com/openshift/cluster-logging-operator/pull/921

Comment 5 Anping Li 2021-03-02 08:10:11 UTC

Verified using master branch.

Comment 6 Anping Li 2021-03-02 08:12:39 UTC

jeff, Shall we create a Jira ticket for the PR  https://github.com/openshift/cluster-logging-operator/pull/921?

Comment 7 Jeff Cantrill 2021-03-15 16:08:56 UTC

Closing in favor of https://issues.redhat.com/browse/LOG-1209