Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1971003

Summary: LF GA syslog ( for RFC 3164 ) implementation incompatible with supported legacy feature
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: LoggingAssignee: Vimal Kumar <vimalkum>
Status: CLOSED ERRATA QA Contact: Ishwar Kanse <ikanse>
Severity: high Docs Contact:
Priority: high    
Version: 4.6CC: aconway, anli, aos-bugs, bjarvis, cvogel, jcantril, jniu, kahara, kkii, mfuruta, periklis, puraut, rdlugyhe, rh-container, syedriko
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: All   
OS: All   
Whiteboard: logging-core
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-28 05:58:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1891886    
Bug Blocks:    

Comment 7 Ishwar Kanse 2021-07-21 05:19:18 UTC 
Verified with:

oc get csv
NAME                                        DISPLAY                            VERSION              REPLACES   PHASE
clusterlogging.4.6.0-202107152013           Cluster Logging                    4.6.0-202107152013              Succeeded
elasticsearch-operator.4.6.0-202107152013   OpenShift Elasticsearch Operator   4.6.0-202107152013              Succeeded

apiVersion: logging.openshift.io/v1      
kind: ClusterLogForwarder      
metadata:      
  name: instance      
  namespace: openshift-logging      
spec:      
  outputs:      
    - name: rsyslog-created-by-user      
      type: syslog      
      syslog:      
        facility: local0      
        payloadKey: message
        addLogSource: true
        rfc: RFC3164  
        severity: informational      
      url: 'udp://rsyslogserver.openshift-logging.svc:514'      
  pipelines:      
    - name: forward-to-external-syslog      
      inputRefs:      
        - infrastructure      
        - application      
        - audit      
      outputRefs:      
        - rsyslog-created-by-user

syslog config:

cat rsyslogserver_configmap.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: rsyslogserver
  labels:
    provider: aosqe
    component: "rsyslogserver"
data:
  rsyslog.conf: |+
    global(processInternalMessages="on")
    module(load="imptcp")
    module(load="imudp" TimeRequery="500")
    input(type="imptcp" port="514")
    input(type="imudp" port="514")
    :programname, contains, "kubernetes.var.log.containers" {
      if $msg contains "namespace_name=openshift" or $msg contains "namespace_name=default" or $msg contains "namespace_name=kube" then /var/log/custom/infra-container.log
      if not ($msg contains "namespace_name=openshift" or $msg contains "namespace_name=default" or $msg contains "namespace_name=kube") then /var/log/custom/app-container.log
    }
    :programname, contains, "journal.system" /var/log/custom/infra.log
    :programname, contains, "k8s-audit.log" /var/log/custom/audit.log
    :programname, contains, "openshift-audit.log" /var/log/custom/audit.log 
    :msg, contains, "docker"{
      if $msg contains "viaq_index_name:infra-write" then /var/log/custom/infra-container.log
      if $msg contains "viaq_index_name:app-write" then /var/log/custom/app-container.log
    }
    :msg, contains, "_STREAM_ID" /var/log/custom/infra.log
    :msg, contains, "viaq_index_name:audit-write" /var/log/custom/audit.log
    :msg, contains, "SVTLogger" /var/log/custom/app.log

Without addLogSource: true added to CLF:

2021-07-21T05:12:11+00:00 test-vh2fg-worker-a-pb7m6.c.example-qe.internal fluentd: 2021-07-21 05:12:10,773 - SVTLogger - INFO - centos-logtest-dbj2c : 2697 : o3TW7R5wZ LLwpANxqU HkGPx3TK8 qqSD6Us9F fku4uZl4D 4AuxygfKR prmosCpPc wtgGQ470N 7wRyLF799 z9HiQQZdr n0q9BVbH5 4LL00oakb kQZEgk2fN xhe65c32C rZTwvdFoe ot1XMofSt oXwKJxehG Aa6JNSAVV SI5yPC4bE wIhgRFjev 

with addLogSource: true added to CLF

2021-07-21T05:10:23+00:00 test-vh2fg-worker-a-pb7m6.c.example-qe.internal fluentd: namespace_name=centos-logtest, container_name=centos-logtest, pod_name=centos-logtest-dbj2c, message=2021-07-21 05:10:22,654 - SVTLogger - INFO - centos-logtest-dbj2c : 2589 : o3TW7R5wZ LLwpANxqU HkGPx3TK8 qqSD6Us9F fku4uZl4D 4AuxygfKR prmosCpPc wtgGQ470N 7wRyLF799 z9HiQQZdr n0q9BVbH5 4LL00oakb kQZEgk2fN xhe65c32C rZTwvdFoe ot1XMofSt oXwKJxehG Aa6JNSAVV SI5yPC4bE wIhgRFjev
Comment 9 errata-xmlrpc 2021-07-28 05:58:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.40 extras update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2769