You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: enhancements/cluster-logging/cluster-logging-log-forwarding.md
+11-2
Original file line number
Diff line number
Diff line change
@@ -2,6 +2,7 @@
2
2
title: cluster-logging-log-forwarding
3
3
authors:
4
4
- "@jcantrill"
5
+
- "@jaosorior"
5
6
reviewers:
6
7
- "@bparees"
7
8
- "@ewolinetz"
@@ -63,18 +64,18 @@ It will not allow configuration of additional sources without further design con
63
64
intended to provide a complex routing solution as one might achieve by using a custom collector configuration or a messaging solution (e.g. kafka).
64
65
* It is not a goal for the tech-preview to support log forwarding outputs other then the ones identified for the goals. Admins can forward to their own fluentd via `forward`
65
66
and then configure that fluentd to forward to any number of specific logstore outputs
66
-
67
+
* It is not a goal to provide secure storage for audit logs. If the deployer chooses to enable audit log forwarding, they need to make sure that the endpoint is compliant with governmental regulations and secure. The OpenShift logging Elasticsearch does not comply with those regulations.
67
68
68
69
## Proposal
69
70
70
71
Log forwarding will provide a declarative way to specify the outputs for specific types of logs using a 'pipeline'. A 'pipeline' defines simple routing for one source to one or more outputs. The source of logs are opinionated and well defined by cluster logging. The initial source types are as follows:
71
72
72
73
*`logs.app` - Container logs generated by user applications running on the platform, excluding infrastructure container applications
73
74
*`logs.infra` - Logs generated by both infrastructure components running on the platform and OKD nodes (e.g. journal logs). "Infra" applications are defined as any pods which run in namespaces: `openshift*`, `kube*`, `default`.
75
+
*`logs.audit` - Logs generated by the nodes' auditd (/var/log/audit/audit.log), audit logs from the kubeapi-server and the openshift-apiserver. This will not be forwarded by default.
There are no assumptions regarding whether or not an endpoint is deployed on or off cluster. Endpoints off-cluster may require adminstrators to perform additional actions in order for logs to be forwarded (e.g. secret creation, opening port, enable global proxy configuration)
80
81
Following is the list of supported endpoint types for this proposal:
@@ -92,6 +93,10 @@ This is a typical example of organizations that desires to re-use their existing
92
93
93
94
This is an example of an OKD cluster hosting solution where several organizations are each provided with a dedicated cluster. The organization requires access to application container logs but the host requires access to the infra structure logs.
94
95
96
+
#### As an OKD admin, I need to forward my audit logs to a secure SIEM that meets government regulations
97
+
98
+
This is often required for industries such as the US public sector, healthcare or financials. The logs will be forwarded to a government approved SIEM through secure means (mutual TLS).
99
+
95
100
### Implementation Details
96
101
97
102
#### Assumptions
@@ -154,6 +159,10 @@ spec:
154
159
source: logs.infra:
155
160
outputRefs:
156
161
- elasticsearch-insecure
162
+
- name: audit-logs
163
+
source: logs.audit
164
+
outputRefs:
165
+
- secureforward-offcluster
157
166
```
158
167
159
168
The generated collector configuration is something like the following. **Note:** the source definitions from prior releases remain unchanged:
0 commit comments