You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* See xref:../logging/log_collection_forwarding/log-forwarding.adoc#cluster-logging-collector-log-forward-cloudwatch_log-forwarding[Forwarding logs to Amazon CloudWatch] for instructions.
34
+
* See xref:../logging/log_collection_forwarding/configuring-log-forwarding.adoc#cluster-logging-collector-log-forward-cloudwatch_configuring-log-forwarding[Forwarding logs to Amazon CloudWatch] for instructions.
By default, the {logging} sends container and infrastructure logs to the default internal log store defined in the `ClusterLogging` custom resource. However, it does not send audit logs to the internal store because it does not provide secure storage. If this default configuration meets your needs, you do not need to configure the Cluster Log Forwarder.
11
+
12
+
[NOTE]
13
+
====
14
+
To send audit logs to the internal Elasticsearch log store, use the Cluster Log Forwarder as described in xref:../../logging/log_storage/logging-config-es-store.adoc#cluster-logging-elasticsearch-audit_logging-config-es-store[Forwarding audit logs to the log store].
* xref:../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging for egress firewall and network policy rules]
40
+
endif::[]
41
+
ifdef::openshift-rosa,openshift-dedicated[]
42
+
* link:https://docs.openshift.com/container-platform/latest/networking/ovn_kubernetes_network_provider/logging-network-policy.html#logging-network-policy[Logging for egress firewall and network policy rules]
== Enabling the multi log forwarder feature for a cluster
32
+
=== Enabling the multi log forwarder feature for a cluster
33
33
34
34
To use the multi log forwarder feature, you must create a service account and cluster role bindings for that service account. You can then reference the service account in the `ClusterLogForwarder` resource to control access permissions.
35
35
@@ -38,7 +38,7 @@ To use the multi log forwarder feature, you must create a service account and cl
38
38
In order to support multi log forwarding in additional namespaces other than the `openshift-logging` namespace, you must xref:../../logging/cluster-logging-upgrading.adoc#logging-operator-upgrading-all-ns_cluster-logging-upgrading[update the {clo} to watch all namespaces]. This functionality is supported by default in new {clo} version 5.8 installations.
By default, the {logging} sends container and infrastructure logs to the default internal log store defined in the `ClusterLogging` custom resource. However, it does not send audit logs to the internal store because it does not provide secure storage. If this default configuration meets your needs, you do not need to configure the Cluster Log Forwarder.
59
-
60
-
[NOTE]
61
-
====
62
-
To send audit logs to the internal Elasticsearch log store, use the Cluster Log Forwarder as described in xref:../../logging/log_storage/logging-config-es-store.adoc#cluster-logging-elasticsearch-audit_logging-config-es-store[Forwarding audit logs to the log store].
=== Forwarding logs to Amazon CloudWatch from STS enabled clusters
86
-
87
-
For clusters with AWS Security Token Service (STS) enabled, you can create an AWS service account manually or create a credentials request by using the
. Create a `CredentialsRequest` custom resource YAML by using the template below:
103
-
+
104
-
.CloudWatch credentials request template
105
-
[source,yaml]
106
-
----
107
-
apiVersion: cloudcredential.openshift.io/v1
108
-
kind: CredentialsRequest
109
-
metadata:
110
-
name: <your_role_name>-credrequest
111
-
namespace: openshift-cloud-credential-operator
112
-
spec:
113
-
providerSpec:
114
-
apiVersion: cloudcredential.openshift.io/v1
115
-
kind: AWSProviderSpec
116
-
statementEntries:
117
-
- action:
118
-
- logs:PutLogEvents
119
-
- logs:CreateLogGroup
120
-
- logs:PutRetentionPolicy
121
-
- logs:CreateLogStream
122
-
- logs:DescribeLogGroups
123
-
- logs:DescribeLogStreams
124
-
effect: Allow
125
-
resource: arn:aws:logs:*:*:*
126
-
secretRef:
127
-
name: <your_role_name>
128
-
namespace: openshift-logging
129
-
serviceAccountNames:
130
-
- logcollector
131
-
----
132
-
+
133
-
. Use the `ccoctl` command to create a role for AWS using your `CredentialsRequest` CR. With the `CredentialsRequest` object, this `ccoctl` command creates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy that grants permissions to perform operations on CloudWatch resources. This command also creates a YAML configuration file in `/<path_to_ccoctl_output_dir>/manifests/openshift-logging-<your_role_name>-credentials.yaml`. This secret file contains the `role_arn` key/value used during authentication with the AWS IAM identity provider.
. Create or edit a `ClusterLogForwarder` custom resource:
153
-
+
154
-
[source,yaml]
155
-
----
156
-
apiVersion: logging.openshift.io/v1
157
-
kind: ClusterLogForwarder
158
-
metadata:
159
-
name: <log_forwarder_name> <1>
160
-
namespace: <log_forwarder_namespace> <2>
161
-
spec:
162
-
serviceAccountName: clf-collector <3>
163
-
outputs:
164
-
- name: cw <4>
165
-
type: cloudwatch <5>
166
-
cloudwatch:
167
-
groupBy: logType <6>
168
-
groupPrefix: <group prefix> <7>
169
-
region: us-east-2 <8>
170
-
secret:
171
-
name: <your_secret_name> <9>
172
-
pipelines:
173
-
- name: to-cloudwatch <10>
174
-
inputRefs: <11>
175
-
- infrastructure
176
-
- audit
177
-
- application
178
-
outputRefs:
179
-
- cw <12>
180
-
----
181
-
<1> In legacy implementations, the CR name must be `instance`. In multi log forwarder implementations, you can use any name.
182
-
<2> In legacy implementations, the CR namespace must be `openshift-logging`. In multi log forwarder implementations, you can use any namespace.
183
-
<3> Specify the `clf-collector` service account. The service account is only required in multi log forwarder implementations if the log forwarder is not deployed in the `openshift-logging` namespace.
184
-
<4> Specify a name for the output.
185
-
<5> Specify the `cloudwatch` type.
186
-
<6> Optional: Specify how to group the logs:
187
-
+
188
-
* `logType` creates log groups for each log type.
189
-
* `namespaceName` creates a log group for each application name space. Infrastructure and audit logs are unaffected, remaining grouped by `logType`.
190
-
* `namespaceUUID` creates a new log groups for each application namespace UUID. It also creates separate log groups for infrastructure and audit logs.
191
-
<7> Optional: Specify a string to replace the default `infrastructureName` prefix in the names of the log groups.
192
-
<8> Specify the AWS region.
193
-
<9> Specify the name of the secret that contains your AWS credentials.
194
-
<10> Optional: Specify a name for the pipeline.
195
-
<11> Specify which log types to forward by using the pipeline: `application,` `infrastructure`, or `audit`.
196
-
<12> Specify the name of the output to use when forwarding logs with this pipeline.
197
-
endif::[]
198
-
199
-
[role="_additional-resources"]
200
-
.Additional resources
201
-
* link:https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html[AWS STS API Reference]
* xref:../../logging/cluster-logging-exported-fields.adoc#cluster-logging-exported-fields-kubernetes_cluster-logging-exported-fields[Log Record Fields]
* xref:../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging for egress firewall and network policy rules]
233
-
endif::[]
234
-
ifdef::openshift-rosa,openshift-dedicated[]
235
-
* link:https://docs.openshift.com/container-platform/latest/networking/ovn_kubernetes_network_provider/logging-network-policy.html#logging-network-policy[Logging for egress firewall and network policy rules]
0 commit comments