Merge pull request #25456 from mburke5678/BZ-1867137-46

mburke5678 · web-flow · commit 72bcce081e4f · 2020-09-30T14:26:46.000-04:00
4.6 After installation infra and audit index pattern not available in Kibana
diff --git a/logging/config/cluster-logging-log-store.adoc b/logging/config/cluster-logging-log-store.adoc
@@ -38,7 +38,7 @@ include::modules/cluster-logging-elasticsearch-audit.adoc[leveloffset=+1]
 
 .Additional resources
 
-For more information on the Log Forward API, see xref:../../logging/cluster-logging-external.adoc#cluster-logging-external[Forwarding logs using the Log Forwarding API].
+For more information on the Log Forwarding API, see xref:../../logging/cluster-logging-external.adoc#cluster-logging-external[Forwarding logs using the Log Forwarding API].
 
 include::modules/cluster-logging-elasticsearch-retention.adoc[leveloffset=+1]
 
diff --git a/modules/cluster-logging-elasticsearch-audit.adoc b/modules/cluster-logging-elasticsearch-audit.adoc
@@ -18,120 +18,73 @@ The internal {product-title} Elasticsearch log store does not provide secure sto
 
 To use the Log Forward API to forward audit logs to the internal Elasticsearch instance:
 
-. If the Log Forward API is not enabled:
-
-.. Edit the Cluster Logging Custom Resource (CR) in the `openshift-logging` project:
-+
-----
-$ oc edit ClusterLogging instance
-----
-
-.. Add the `clusterlogging.openshift.io/logforwardingtechpreview` annotation and set to `enabled`:
-+
-[source,yaml]
-----
-apiVersion: "logging.openshift.io/v1"
-kind: "ClusterLogging"
-metadata:
-  annotations:
-    clusterlogging.openshift.io/logforwardingtechpreview: enabled <1>
-  name: "instance"
-  namespace: "openshift-logging"
-spec:
-
-...
-
-  collection: <2>
-    logs:
-      type: "fluentd"
-      fluentd: {}
-----
-<1> Enables and disables the Log Forwarding API. Set to `enabled` to use log forwarding. 
-<2> The `spec.collection` block must be defined to use Fluentd in the Cluster Logging CR.
-
 . Create a Log Forwarding CR YAML file or edit your existing CR:
 +
 * Create a CR to send all log types to the internal Elasticsearch instance. You can use the following example without making any changes:
 +
 [source,yaml]
 ----
-apiVersion: logging.openshift.io/v1alpha1
-kind: LogForwarding
+apiVersion: logging.openshift.io/v1
+kind: ClusterLogForwarder
 metadata:
   name: instance
   namespace: openshift-logging
 spec:
-  disableDefaultForwarding: true
-  outputs:
-    - name: clo-es
-      type: elasticsearch
-      endpoint: 'elasticsearch.openshift-logging.svc:9200' <1>
-      secret:
-        name: fluentd
-  pipelines:
-    - name: audit-pipeline <2>
-      inputSource: logs.audit
-      outputRefs:
-        - clo-es
-    - name: app-pipeline <3>
-      inputSource: logs.app
-      outputRefs:
-        - clo-es
-    - name: infra-pipeline <4>
-      inputSource: logs.infra
-      outputRefs:
-        - clo-es
+  pipelines: <1>
+  - name: all-to-default
+    inputRefs:
+    - infrastructure
+    - application
+    - audit
+    outputRefs:
+    - default
 ----
-<1> The `endpoint` parameter points to the internal Elasticsearch instance.
-<2> This parameter sends the audit logs to the specified endpoint.
-<3> This parameter sends the application logs to the specified endpoint.
-<4> This parameter sends the infrastructure logs to the specified endpoint.
+<1> A pipeline defines the type of logs to forward using the specified output. The default output forwards logs to the internal Elasticsearch instance.
 +
 [NOTE]
 ====
-You must configure a pipeline and output for all three types of logs: application, infrastructure, and audit. If you do not specify a pipeline and output for a log type, those logs are not stored and will be lost.
+You must specify all three types of logs in the pipeline: application, infrastructure, and audit. If you do not specify a log type, those logs are not stored and will be lost. 
 ====
 +
-* If you have an existing LogForwarding CR, add an output for the internal Elasticsearch instance and a pipeline to that output for the audit logs. For example:
+* If you have an existing LogForwarding CR, add a pipeline to the default output for the audit logs. You do not need to define the default output. For example:
 +
 [source,yaml]
 ----
-apiVersion: "logging.openshift.io/v1alpha1"
+apiVersion: "logging.openshift.io/v1"
 kind: "LogForwarding"
 metadata:
   name: instance
   namespace: openshift-logging
 spec:
-  disableDefaultForwarding: true
   outputs:
-   - name: elasticsearch <1>
-     type: "elasticsearch"
-     endpoint: elasticsearch.openshift-logging.svc:9200
-     secret:
-        name: fluentd
    - name: elasticsearch-insecure
      type: "elasticsearch"
-     endpoint: elasticsearch-insecure.svc.messaging.cluster.local
+     url: elasticsearch-insecure.svc.messaging.cluster.local
      insecure: true
+   - name: elasticsearch-secure
+     type: "elasticsearch"
+     url: elasticsearch-secure.svc.messaging.cluster.local
+     secret: 
+        name: es-audit
    - name: secureforward-offcluster
      type: "forward"
-     endpoint: https://secureforward.offcluster.com:24224
+     url: https://secureforward.offcluster.com:24224
      secret:
         name: secureforward
   pipelines: 
    - name: container-logs
-     inputSource: logs.app
+     inputRefs: application
      outputRefs:
      - secureforward-offcluster
    - name: infra-logs
-     inputSource: logs.infra
+     inputRefs: infrastructure
      outputRefs:
      - elasticsearch-insecure
    - name: audit-logs
-     inputSource: logs.audit
+     inputRefs: audit
      outputRefs:
-     - elasticsearch <2>
+     - elasticsearch-secure
+     - default <1>
 ----
-<1> An output for the internal Elasticsearch instance.
-<2> A pipeline for sending the audit logs to the internal Elasticsearch instance.
+<1> This pipeline sends the audit logs to the internal Elasticsearch instance in addition to an external instance.
 
diff --git a/modules/cluster-logging-visualizer-launch.adoc b/modules/cluster-logging-visualizer-launch.adoc
@@ -10,7 +10,7 @@ pie charts, heat maps, built-in geospatial support, and other visualizations.
 
 .Prerequisites
 
-* To list the *infra* and *audit* indices in Kibana, a user must have the `cluster-admin` role, the `cluster-reader` role, or both roles. The default `kubeadmin` user does not have proper permissions to list these indices. 
+* To list the *infra* and *audit* indices in Kibana, a user must have the `cluster-admin` role, the `cluster-reader` role, or both roles. The default `kubeadmin` user has proper permissions to list these indices. 
 +
 If you can view the Pods and logs in the `default` project, you should be able to access the these indices. You can use the following command to check if the current user has proper permissions:
 +

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ pie charts, heat maps, built-in geospatial support, and other visualizations.`
`10`	`10`
`11`	`11`	`.Prerequisites`
`12`	`12`
`13`		-* To list the infra and audit indices in Kibana, a user must have the `cluster-admin` role, the `cluster-reader` role, or both roles. The default `kubeadmin` user does not have proper permissions to list these indices.
	`13`	+* To list the infra and audit indices in Kibana, a user must have the `cluster-admin` role, the `cluster-reader` role, or both roles. The default `kubeadmin` user has proper permissions to list these indices.
`14`	`14`	`+`
`15`	`15`	If you can view the Pods and logs in the `default` project, you should be able to access the these indices. You can use the following command to check if the current user has proper permissions:
`16`	`16`	`+`