Merge pull request #25793 from mburke5678/logging-access-logs

Adding topic for logs in Kibana

Author: mburke5678

_topic_map.yml

@@ -1406,13 +1406,10 @@ Topics:
   - Name: Maintenance and support
     File: cluster-logging-maintenance-support
 - Name: Viewing cluster logs
-  Dir: viewing
+  File: cluster-logging-viewing
+- Name: Viewing cluster logs in Kibana
+  File: cluster-logging-visualizer
   Distros: openshift-enterprise,openshift-webscale,openshift-origin
-  Topics:
-  - Name: Viewing cluster logs in the console or CLI
-    File: cluster-logging-viewing
-  - Name: Viewing cluster logs using Kibana
-    File: cluster-logging-visualizer
 # TODO: This file doesn't exist anymore - update if necessary for dedicated
 # - Name: Viewing cluster logs using Kibana
 #   File: cluster-logging-kibana-interface

…ing/viewing/cluster-logging-viewing.adoc logging/cluster-logging-viewing.adoclogging/viewing/cluster-logging-viewing.adoc renamed to logging/cluster-logging-viewing.adoc logging/viewing/cluster-logging-viewing.adoc renamed to logging/cluster-logging-viewing.adoc

@@ -1,34 +1,32 @@
 :context: cluster-logging-visualizer
 [id="cluster-logging-visualizer-using"]
-= Viewing cluster logs using Kibana
+= Viewing cluster logs by using Kibana
 include::modules/common-attributes.adoc[]
 
 toc::[]
 
 {product-title} cluster logging includes a web console for visualizing collected log data. Currently, {product-title} deploys the Kibana console for visualization.
 
-Using the log visualizer, you can:
+Using the log visualizer, you can do the following with your data:
 
-* Search and browse your data using the *Discover* tab.
-* Chart and map your data using the *Visualize* tab.
-* Create and view custom dashboards using the *Dashboard* tab.
+* search and browse the data using the *Discover* tab.
+* chart and map the data using the *Visualize* tab.
+* create and view custom dashboards using the *Dashboard* tab.
 
 Use and configuration of the Kibana interface is beyond the scope of this documentation. For more information,
 on using the interface, see the link:https://www.elastic.co/guide/en/kibana/6.8/connect-to-elasticsearch.html[Kibana documentation]. 
 
 [NOTE]
 ====
-The audit logs are not stored in the internal {product-title} Elasticsearch instance by default. To view the audit logs in Kibana, you must use the xref:../../logging/config/cluster-logging-log-store.adoc#cluster-logging-elasticsearch-audit_cluster-logging-store[Log Forwarding API] to configure a pipeline that uses the `default` output for audit logs.
+The audit logs are not stored in the internal {product-title} Elasticsearch instance by default. To view the audit logs in Kibana, you must use the xref:../logging/config/cluster-logging-log-store.adoc#cluster-logging-elasticsearch-audit_cluster-logging-store[Log Forwarding API] to configure a pipeline that uses the `default` output for audit logs.
 ====
 
 // The following include statements pull in the module files that comprise
 // the assembly. Include any combination of concept, procedure, or reference
 // modules required to cover the user story. You can also include other
 // assemblies.
 
-include::modules/cluster-logging-visualizer-launch.adoc[leveloffset=+1]
 include::modules/cluster-logging-visualizer-indices.adoc[leveloffset=+1]
-// modules/cluster-logging-kibana-visualize.adoc[leveloffset=+1]
-
+include::modules/cluster-logging-visualizer-kibana.adoc[leveloffset=+1]
 
 

…/viewing/cluster-logging-visualizer.adoc logging/cluster-logging-visualizer.adoclogging/viewing/cluster-logging-visualizer.adoc renamed to logging/cluster-logging-visualizer.adoc logging/viewing/cluster-logging-visualizer.adoc renamed to logging/cluster-logging-visualizer.adoc

@@ -10,7 +10,7 @@ toc::[]
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
 As a cluster administrator, you can deploy cluster logging to
 aggregate all the logs from your {product-title} cluster, such as node system audit logs, application container logs, and infrastructure logs.
-Cluster logging aggregates these logs from throughout your cluster and stores them in a default log store. You can xref:../logging/viewing/cluster-logging-viewing.adoc#cluster-logging-viewing[view the logs in a console or the {product-title} web console] or xref:../logging/viewing/cluster-logging-visualizer.adoc#cluster-logging-visualizer[use Kibana to visualize log data].
+Cluster logging aggregates these logs from throughout your cluster and stores them in a default log store. You can xref:../logging/cluster-logging-visualizer.adoc#cluster-logging-visualizer[use the Kibana web console to visualize log data].
 
 Cluster logging aggregates the following types of logs:
 

logging/cluster-logging.adoc

@@ -9,13 +9,13 @@ An index pattern defines the Elasticsearch indices that you want to visualize. T
 
 .Prerequisites
 
-* A user must have the `cluster-admin` role, the `cluster-reader` role, or both roles to list the *infra* and *audit* indices in Kibana. 
+* A user must have the `cluster-admin` role, the `cluster-reader` role, or both roles to view the *infra* and *audit* indices in Kibana. The default `kubeadmin` user has proper permissions to view these indices. 
 +
-For example:
+If you can view the pods and logs in the `default`, `kube-` and `openshift-` projects, you should be able to access the these indices. You can use the following command to check if the current user has appropriate permissions:
 +
 [source,terminal]
 ----
-$ oc auth can-i get pods/logs -n default
+$ oc auth can-i get pods/log -n <project>
 ----
 +
 .Example output

logging/viewing/images

@@ -0,0 +1,119 @@
+// Module included in the following assemblies:
+//
+// * logging/viewing/cluster-logging-visualizer.adoc
+
+[id="cluster-logging-visualizer-kibana_{context}"]
+= Viewing cluster logs in Kibana
+
+You view cluster logs in the Kibana web console. The methods for viewing and visualizing your data in Kibana that are beyond the scope of this documentation. For more information, refer to the link:https://www.elastic.co/guide/en/kibana/6.8/tutorial-sample-discover.html[Kibana documentation].
+
+.Prerequisites
+
+* Cluster logging and Elasticsearch must be installed.
+
+* Kibana index patterns must exist.
+
+* A user must have the `cluster-admin` role, the `cluster-reader` role, or both roles to view the *infra* and *audit* indices in Kibana. The default `kubeadmin` user has proper permissions to view these indices. 
++
+If you can view the pods and logs in the `default`, `kube-` and `openshift-` projects, you should be able to access the these indices. You can use the following command to check if the current user has appropriate permissions:
++
+[source,terminal]
+----
+$ oc auth can-i get pods/log -n <project>
+----
++
+.Example output
+[source,terminal]
+----
+yes
+----
++
+[NOTE]
+====
+The audit logs are not stored in the internal {product-title} Elasticsearch instance by default. To view the audit logs in Kibana, you must use the Log Forwarding API to configure a pipeline that uses the `default` output for audit logs.
+====
+
+.Procedure
+
+To view logs in Kibana:
+
+. In the {product-title} console, click the Application Launcher {launch} and select *Logging*.
+
+. Log in using the same credentials you use to log in to the {product-title} console.
++
+The Kibana interface launches.
+
+. In Kibana, click *Discover*.
+
+. Select the index pattern you created from the drop-down menu in the top-left corner: *app*, *audit*, or *infra*.
++
+The log data displays as  time-stamped documents.
+
+. Expand one of the time-stamped documents.
+
+. Click the *JSON* tab to display the log entry for that document.
++
+.Sample infrastructure log entry in Kibana
+[source,terminal]
+----
+{
+  "_index": "infra-000001",
+  "_type": "_doc",
+  "_id": "YmJmYTBlNDkZTRmLTliMGQtMjE3NmFiOGUyOWM3",
+  "_version": 1,
+  "_score": null,
+  "_source": {
+    "docker": {
+      "container_id": "f85fa55bbef7bb783f041066be1e7c267a6b88c4603dfce213e32c1"
+    },
+    "kubernetes": {
+      "container_name": "registry-server",
+      "namespace_name": "openshift-marketplace",
+      "pod_name": "redhat-marketplace-n64gc",
+      "container_image": "registry.redhat.io/redhat/redhat-marketplace-index:v4.6",
+      "container_image_id": "registry.redhat.io/redhat/redhat-marketplace-index@sha256:65fc0c45aabb95809e376feb065771ecda9e5e59cc8b3024c4545c168f",
+      "pod_id": "8f594ea2-c866-4b5c-a1c8-a50756704b2a",
+      "host": "ip-10-0-182-28.us-east-2.compute.internal",
+      "master_url": "https://kubernetes.default.svc",
+      "namespace_id": "3abab127-7669-4eb3-b9ef-44c04ad68d38",
+      "namespace_labels": {
+        "openshift_io/cluster-monitoring": "true"
+      },
+      "flat_labels": [
+        "catalogsource_operators_coreos_com/update=redhat-marketplace"
+      ]
+    },
+    "message": "time=\"2020-09-23T20:47:03Z\" level=info msg=\"serving registry\" database=/database/index.db port=50051",
+    "level": "unknown",
+    "hostname": "ip-10-0-182-28.internal",
+    "pipeline_metadata": {
+      "collector": {
+        "ipaddr4": "10.0.182.28",
+        "inputname": "fluent-plugin-systemd",
+        "name": "fluentd",
+        "received_at": "2020-09-23T20:47:15.007583+00:00",
+        "version": "1.7.4 1.6.0"
+      }
+    },
+    "@timestamp": "2020-09-23T20:47:03.422465+00:00",
+    "viaq_msg_id": "YmJmYTBlNDktMDMGQtMjE3NmFiOGUyOWM3",
+    "openshift": {
+      "labels": {
+        "logging": "infra"
+      }
+    }
+  },
+  "fields": {
+    "@timestamp": [
+      "2020-09-23T20:47:03.422Z"
+    ],
+    "pipeline_metadata.collector.received_at": [
+      "2020-09-23T20:47:15.007Z"
+    ]
+  },
+  "sort": [
+    1600894023422
+  ]
+}
+----
+

modules/cluster-logging-visualizer-indices.adoc

@@ -12,11 +12,11 @@ pie charts, heat maps, built-in geospatial support, and other visualizations.
 
 * To list the *infra* and *audit* indices in Kibana, a user must have the `cluster-admin` role, the `cluster-reader` role, or both roles. The default `kubeadmin` user has proper permissions to list these indices. 
 +
-If you can view the pods and logs in the `default` project, you should be able to access the these indices. You can use the following command to check if the current user has proper permissions:
+If you can view the pods and logs in the `default`, `kube-*` and `openshift-*` projects, you should be able to access the these indices. You can use the following command to check if the current user has proper permissions:
 +
 [source,terminal]
 ----
-$ oc auth can-i get pods/logs -n default
+$ oc auth can-i get pods/log -n <project>
 ----
 +
 .Example output