OBSDOCS-1679: Port the Configuring log forwarding chapter

Author: theashiot

_topic_maps/_topic_map.yml

@@ -2993,6 +2993,8 @@ Topics:
     Topics:
     - Name: Release notes
       File: log6x-release-notes-6.2
+    - Name: Configuring log forwarding
+      File: log6x-clf-6.2
   - Name: Logging 6.1
     Dir: logging-6.1
     Topics:

modules/log6x-collection-setup.adoc

@@ -92,7 +92,7 @@ rules:                                              <1>
       - logs                                        <7>
     verbs:                                          <8>
       - create                                      <9>
-Annotations
+----
 <1> rules: Specifies the permissions granted by this ClusterRole.
 <2> apiGroups: Refers to the API group loki.grafana.com, which relates to the Loki logging system.
 <3> loki.grafana.com: The API group for managing Loki-related resources.
@@ -102,7 +102,7 @@ Annotations
 <7> logs: Refers to the log resources that can be created.
 <8> verbs: The actions allowed on the resources.
 <9> create: Grants permission to create new logs in the Loki system.
-----
+
 
 === Writing audit logs
 The write-audit-logs-clusterrole.yaml file defines a ClusterRole that grants permissions to create audit logs in the Loki logging system.

observability/logging/logging-6.0/log6x-clf.adoc

@@ -80,7 +80,7 @@ Outputs are configured in an array under `spec.outputs`. Each output must have a
 
 azureMonitor:: Forwards logs to Azure Monitor.
 cloudwatch:: Forwards logs to AWS CloudWatch.
-elasticsearch:: Forwards logs to an external Elasticsearch instance.
+//elasticsearch:: Forwards logs to an external Elasticsearch instance.
 googleCloudLogging:: Forwards logs to Google Cloud Logging.
 http:: Forwards logs to a generic HTTP endpoint.
 kafka:: Forwards logs to a Kafka broker.

observability/logging/logging-6.1/log6x-clf-6.1.adoc

@@ -81,7 +81,7 @@ Outputs are configured in an array under `spec.outputs`. Each output must have a
 
 azureMonitor:: Forwards logs to Azure Monitor.
 cloudwatch:: Forwards logs to AWS CloudWatch.
-elasticsearch:: Forwards logs to an external Elasticsearch instance.
+//elasticsearch:: Forwards logs to an external Elasticsearch instance.
 googleCloudLogging:: Forwards logs to Google Cloud Logging.
 http:: Forwards logs to a generic HTTP endpoint.
 kafka:: Forwards logs to a Kafka broker.

observability/logging/logging-6.2/log6x-clf-6.2.adoc

@@ -0,0 +1,122 @@
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
+[id="log6x-clf-6-2"]
+= Configuring log forwarding
+:context: logging-6x-6.2
+
+toc::[]
+
+The `ClusterLogForwarder` (CLF) allows users to configure forwarding of logs to various destinations. It provides a flexible way to select log messages from different sources, send them through a pipeline that can transform or filter them, and forward them to one or more outputs.
+
+.Key Functions of the ClusterLogForwarder
+* Selects log messages using inputs
+* Forwards logs to external destinations using outputs
+* Filters, transforms, and drops log messages using filters
+* Defines log forwarding pipelines connecting inputs, filters and outputs
+
+include::modules/log6x-collection-setup.adoc[leveloffset=+1]
+
+[id="modifying-log-level_6-2_{context}"]
+== Modifying log level in collector
+
+To modify the log level in the collector, you can set the `observability.openshift.io/log-level` annotation to `trace`, `debug`, `info`, `warn`, `error`, and `off`.
+
+.Example log level annotation
+[source,yaml]
+----
+apiVersion: observability.openshift.io/v1
+kind: ClusterLogForwarder
+metadata:
+  name: collector
+  annotations:
+    observability.openshift.io/log-level: debug
+# ...
+----
+
+[id="managing-the-operator_6-2_{context}"]
+== Managing the Operator
+
+The `ClusterLogForwarder` resource has a `managementState` field that controls whether the operator actively manages its resources or leaves them Unmanaged:
+
+Managed:: (default) The operator will drive the logging resources to match the desired state in the CLF spec.
+
+Unmanaged:: The operator will not take any action related to the logging components.
+
+This allows administrators to temporarily pause log forwarding by setting `managementState` to `Unmanaged`.
+
+[id="clf-structure_6-2_{context}"]
+== Structure of the ClusterLogForwarder
+
+The CLF has a `spec` section that contains the following key components:
+
+Inputs:: Select log messages to be forwarded. Built-in input types `application`, `infrastructure` and `audit` forward logs from different parts of the cluster. You can also define custom inputs.
+
+Outputs:: Define destinations to forward logs to. Each output has a unique name and type-specific configuration.
+
+Pipelines:: Define the path logs take from inputs, through filters, to outputs. Pipelines have a unique name and consist of a list of input, output and filter names.
+
+Filters:: Transform or drop log messages in the pipeline. Users can define filters that match certain log fields and drop or modify the messages. Filters are applied in the order specified in the pipeline.
+
+[id="clf-inputs_6-2_{context}"]
+=== Inputs
+
+Inputs are configured in an array under `spec.inputs`. There are three built-in input types:
+
+application:: Selects logs from all application containers, excluding those in infrastructure namespaces.
+
+infrastructure:: Selects logs from nodes and from infrastructure components running in the following namespaces:
+** `default`
+** `kube`
+** `openshift`   
+** Containing the `kube-` or `openshift-` prefix
+
+audit:: Selects logs from the OpenShift API server audit logs, Kubernetes API server audit logs, ovn audit logs, and node audit logs from auditd.
+
+Users can define custom inputs of type `application` that select logs from specific namespaces or using pod labels.
+
+[id="clf-outputs_6-2_{context}"]
+=== Outputs
+
+Outputs are configured in an array under `spec.outputs`. Each output must have a unique name and a type. Supported types are:
+
+azureMonitor:: Forwards logs to Azure Monitor.
+cloudwatch:: Forwards logs to AWS CloudWatch.
+//elasticsearch:: Forwards logs to an external Elasticsearch instance.
+googleCloudLogging:: Forwards logs to Google Cloud Logging.
+http:: Forwards logs to a generic HTTP endpoint.
+kafka:: Forwards logs to a Kafka broker.
+loki:: Forwards logs to a Loki logging backend.
+lokistack:: Forwards logs to the logging supported combination of Loki and web proxy with {Product-Title} authentication integration. LokiStack's proxy uses {Product-Title} authentication to enforce multi-tenancy
+otlp:: Forwards logs using the OpenTelemetry Protocol.
+splunk:: Forwards logs to Splunk.
+syslog:: Forwards logs to an external syslog server.
+
+Each output type has its own configuration fields.
+
+include::modules/log6x-configuring-otlp-output.adoc[leveloffset=+1]
+
+[id="clf-pipelines_6-2_{context}"]
+=== Pipelines
+
+Pipelines are configured in an array under `spec.pipelines`. Each pipeline must have a unique name and consists of:
+
+inputRefs:: Names of inputs whose logs should be forwarded to this pipeline.
+outputRefs:: Names of outputs to send logs to.
+filterRefs:: (optional) Names of filters to apply.
+
+The order of filterRefs matters, as they are applied sequentially. Earlier filters can drop messages that will not be processed by later filters.
+
+[id="clf-filters_6-2_{context}"]
+=== Filters
+
+Filters are configured in an array under `spec.filters`. They can match incoming log messages based on the value of structured fields and modify or drop them.
+
+Administrators can configure the following types of filters:
+
+include::modules/log6x-multiline-except.adoc[leveloffset=+2]
+include::modules/log6x-content-filter-drop-records.adoc[leveloffset=+2]
+include::modules/log6x-audit-log-filtering.adoc[leveloffset=+2]
+include::modules/log6x-input-spec-filter-labels-expressions.adoc[leveloffset=+2]
+include::modules/log6x-content-filter-prune-records.adoc[leveloffset=+2]
+include::modules/log6x-input-spec-filter-audit-infrastructure.adoc[leveloffset=+1]
+include::modules/log6x-input-spec-filter-namespace-container.adoc[leveloffset=+1]