Forwarding Audit Logs
Our solution provides detailed Audit dashboards. By default, OpenShift does not provide audit logs. You can enable them by following instructions from OpenShift documentation Master and Node Configuration/Advanced Audit .
You need to enable audit log only on Masters. For that, you need to edit
sudo vi /etc/origin/master/master-config.yaml
And add configuration, to keep for example audit for the last 10 days or maximum of 3 files with the size of 10 megabytes.
auditConfig: auditFilePath: "/var/log/audit-ocp.log" enabled: true maximumFileRetentionDays: 10 maximumFileSizeMegabytes: 10 maximumRetainedFiles: 3 policyFile: "/etc/origin/master/audit-policy.yaml" logFormat: json
Collector automatically forwards logs from
/var/log/, no additional configuration is required in the collector.
You need to create an
audit-policy.yaml in the specified path.
sudo vi /etc/origin/master/audit-policy.yaml
apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: # Do not log from very verbose system accounts - level: None users: - system:apiserver - system:kube-controller-manager - system:kube-scheduler - system:openshift-master # Do not log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" resources: ["endpoints", "services"] # Do not log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Log the request body of configmap changes in kube-system. - level: Request resources: - group: "" # core API group resources: ["configmaps"] # This rule only applies to resources in the "kube-system" namespace. # The empty string "" can be used to select non-namespaced resources. namespaces: ["kube-system"] # Log configmap and secret changes in all other namespaces at the metadata level. - level: Metadata resources: - group: "" # core API group resources: ["secrets", "configmaps"] # Log all other resources in core and extensions at the request level. - level: Request resources: - group: "" # core API group - group: "extensions" # Version of group should NOT be included. # A catch-all rule to log all other requests at the Metadata level. - level: Metadata
Restart services after making changes.
sudo systemctl restart atomic-openshift-master-api atomic-openshift-master-controllers
Application has a macro, that defines how to find the audit logs