|
1 | 1 | // Module included in the following assemblies: |
2 | 2 | // |
3 | 3 | // * observability/logging/log_collection_forwarding/configuring-log-forwarding.adoc |
| 4 | +// * configuring/configuring-log-forwarding.adoc |
4 | 5 |
|
5 | 6 | :_mod-docs-content-type: CONCEPT |
6 | | -[id="logging-audit-filtering_{context}"] |
7 | | -= Overview of API audit filter |
8 | | -OpenShift API servers generate audit events for each API call, detailing the request, response, and the identity of the requester, leading to large volumes of data. The API Audit filter uses rules to enable the exclusion of non-essential events and the reduction of event size, facilitating a more manageable audit trail. Rules are checked in order, checking stops at the first match. How much data is included in an event is determined by the value of the `level` field: |
| 7 | +[id="logging-audit-log-filtering_{context}"] |
| 8 | += API audit filter overview |
9 | 9 |
|
10 | | -* `None`: The event is dropped. |
11 | | -* `Metadata`: Audit metadata is included, request and response bodies are removed. |
12 | | -* `Request`: Audit metadata and the request body are included, the response body is removed. |
13 | | -* `RequestResponse`: All data is included: metadata, request body and response body. The response body can be very large. For example, `oc get pods -A` generates a response body containing the YAML description of every pod in the cluster. |
| 10 | +OpenShift API servers generate audit events for every API call. These events include details about the request, the response, and the identity of the requester. This can lead to large volumes of data. |
| 11 | + |
| 12 | +The API audit filter helps manage the audit trail by using rules to exclude non-essential events and to reduce the event size. Rules are checked in order, and checking stops at the first match. The amount of data in an event depends on the value of the `level` field: |
14 | 13 |
|
| 14 | +* `None`: The event is dropped. |
| 15 | +* `Metadata`: The event includes audit metadata and excludes request and response bodies. |
| 16 | +* `Request`: The event includes audit metadata and the request body, and excludes the response body. |
| 17 | +* `RequestResponse`: The event includes all data: metadata, request body and response body. The response body can be very large. For example, `oc get pods -A` generates a response body containing the YAML description of every pod in the cluster. |
15 | 18 |
|
16 | 19 | [NOTE] |
17 | 20 | ==== |
18 | | -You can use this feature only if the Vector collector is set up in your logging deployment. |
| 21 | +You can only use the API audit filter feature if the Vector collector is set up in your logging deployment. |
19 | 22 | ==== |
20 | 23 |
|
21 | | -In logging 5.8 and later, the `ClusterLogForwarder` custom resource (CR) uses the same format as the standard link:https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#audit-policy[Kubernetes audit policy], while providing the following additional functions: |
| 24 | +The `ClusterLogForwarder` custom resource (CR) uses the same format as the standard link:https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#audit-policy[Kubernetes audit policy]. The `ClusterLogForwarder` CR provides the following additional functions: |
22 | 25 |
|
23 | | -Wildcards:: Names of users, groups, namespaces, and resources can have a leading or trailing `\*` asterisk character. For example, namespace `openshift-\*` matches `openshift-apiserver` or `openshift-authentication`. Resource `\*/status` matches `Pod/status` or `Deployment/status`. |
| 26 | +Wildcards:: Names of users, groups, namespaces, and resources can have a leading or trailing `\*` asterisk character. For example, the `openshift-\*` namespace matches `openshift-apiserver` or `openshift-authentication` namespaces. The `\*/status` resource matches `Pod/status` or `Deployment/status` resources. |
24 | 27 |
|
25 | 28 | Default Rules:: Events that do not match any rule in the policy are filtered as follows: |
26 | | -* Read-only system events such as `get`, `list`, `watch` are dropped. |
| 29 | ++ |
| 30 | +-- |
| 31 | +* Read-only system events such as `get`, `list`, and `watch` are dropped. |
27 | 32 | * Service account write events that occur within the same namespace as the service account are dropped. |
28 | 33 | * All other events are forwarded, subject to any configured rate limits. |
29 | | - |
| 34 | +-- |
| 35 | ++ |
30 | 36 | To disable these defaults, either end your rules list with a rule that has only a `level` field or add an empty rule. |
31 | 37 |
|
32 | | -Omit Response Codes:: A list of integer status codes to omit. You can drop events based on the HTTP status code in the response by using the `OmitResponseCodes` field, a list of HTTP status code for which no events are created. The default value is `[404, 409, 422, 429]`. If the value is an empty list, `[]`, then no status codes are omitted. |
| 38 | +Omit Response Codes:: A list of integer status codes to omit. You can drop events based on the HTTP status code in the response by using the `OmitResponseCodes` field, which lists HTTP status codes for which no events are created. The default value is `[404, 409, 422, 429]`. If the value is an empty list, `[]`, no status codes are omitted. |
33 | 39 |
|
34 | 40 | The `ClusterLogForwarder` CR audit policy acts in addition to the {ocp-product-title} audit policy. The `ClusterLogForwarder` CR audit filter changes what the log collector forwards, and provides the ability to filter by verb, user, group, namespace, or resource. You can create multiple filters to send different summaries of the same audit stream to different places. For example, you can send a detailed stream to the local cluster log store, and a less detailed stream to a remote site. |
35 | 41 |
|
36 | | -[NOTE] |
37 | | -==== |
38 | | -The example provided is intended to illustrate the range of rules possible in an audit policy and is not a recommended configuration. |
| 42 | +[IMPORTANT] |
39 | 43 | ==== |
| 44 | +* You must have the `collect-audit-logs` cluster role to collect the audit logs. |
40 | 45 |
|
| 46 | +* The following example provided is intended to illustrate the range of rules possible in an audit policy and is not a recommended configuration. |
| 47 | +==== |
41 | 48 |
|
42 | 49 | .Example audit policy |
43 | 50 | [source,yaml] |
44 | 51 | ---- |
45 | | -apiVersion: logging.openshift.io/v1 |
| 52 | +apiVersion: observability.openshift.io/v1 |
46 | 53 | kind: ClusterLogForwarder |
47 | 54 | metadata: |
48 | 55 | name: instance |
49 | 56 | namespace: openshift-logging |
50 | 57 | spec: |
| 58 | + serviceAccount: |
| 59 | + name: example-service-account |
51 | 60 | pipelines: |
52 | 61 | - name: my-pipeline |
53 | | - inputRefs: audit #<1> |
54 | | - filterRefs: my-policy #<2> |
55 | | - outputRefs: default |
| 62 | + inputRefs: |
| 63 | + - audit # <1> |
| 64 | + filterRefs: |
| 65 | + - my-policy # <2> |
| 66 | + outputRefs: |
| 67 | + - my-output |
56 | 68 | filters: |
57 | 69 | - name: my-policy |
58 | 70 | type: kubeAPIAudit |
@@ -120,5 +132,5 @@ spec: |
120 | 132 | # A catch-all rule to log all other requests at the Metadata level. |
121 | 133 | - level: Metadata |
122 | 134 | ---- |
123 | | -<1> The log types that are collected. The value for this field can be `audit` for audit logs, `application` for application logs, `infrastructure` for infrastructure logs, or a named input that has been defined for your application. |
| 135 | +<1> The collected log types. The value for this field can be `audit` for audit logs, `application` for application logs, `infrastructure` for infrastructure logs, or a named input that is defined for your application. |
124 | 136 | <2> The name of your audit policy. |
0 commit comments