Configuring your logging deployment

    Red Hat Openshift Logging Operator:

    • (CL) - Deploys the collector and forwarder which currently are both implemented by a daemonset running on each node.

    • ClusterLogForwarder (CLF) - Generates collector configuration to forward logs per user configuration.

    Loki Operator:

    • LokiStack - Controls the Loki cluster as log store and the web proxy with OpenShift Container Platform authentication integration to enforce multi-tenancy.

    OpenShift Elasticsearch Operator:

    • ElasticSearch - Configure and deploy an Elasticsearch instance as the default log store.

    • Kibana - Configure and deploy Kibana instance to search, query and view logs.

    The supported way of configuring the logging subsystem for Red Hat OpenShift is by configuring it using the options described in this documentation. Do not use other configurations, as they are unsupported. Configuration paradigms might change across OpenShift Container Platform releases, and such cases can only be handled gracefully if all configuration possibilities are controlled. If you use configurations other than those described in this documentation, your changes will disappear because the Operators reconcile any differences. The Operators reverse everything to the defined state by default and by design.

    If you must perform configurations not described in the OpenShift Container Platform documentation, you must set your Red Hat OpenShift Logging Operator to Unmanaged. An unmanaged OpenShift Logging environment is not supported and does not receive updates until you return OpenShift Logging to Managed.

    With Logging version 5.6 and higher, you can configure retention policies based on log streams. Rules for these may be set globally, per tenant, or both. If you configure both, tenant rules apply before global rules.

    1. To enable stream-based retention, create or edit the LokiStack custom resource (CR):
    1. You can refer to the examples below to configure your LokiStack CR.

    Example global stream-based retention

    1. apiVersion: loki.grafana.com/v1
    2. kind: LokiStack
    3. metadata:
    4.   name: logging-loki
    5.   namespace: openshift-logging
    6. spec:
    7.   limits:
    8.     global: (1)
    9.       retention: (2)
    10.         days: 20
    11.         streams:
    12.         - days: 4
    13.           priority: 1
    14.           selector: '{kubernetes_namespace_name=~"test.+"}' (3)
    15.         - days: 1
    16.           priority: 1
    17.           selector: '{log_type="infrastructure"}'
    18.   managementState: Managed
    19.   replicationFactor: 1
    20.   size: 1x.small
    21.   storage:
    22.     schemas:
    23.     - effectiveDate: "2020-10-11"
    24.       version: v11
    25.     secret:
    26.       name: logging-loki-s3
    27.       type: aws
    28.   storageClassName: standard
    29.   tenants:
    30.     mode: openshift-logging
    1Sets retention policy for all log streams. Note: This field does not impact the retention period for stored logs in object storage.
    2Retention is enabled in the cluster when this block is added to the CR.
    3Contains the used to define the log stream.

    Example per-tenant stream-based retention

    1. apiVersion: loki.grafana.com/v1
    2. kind: LokiStack
    3. metadata:
    4.   name: logging-loki
    5.   namespace: openshift-logging
    6. spec:
    7.   limits:
    8.     global:
    9.       retention:
    10.         days: 20
    11.     tenants: (1)
    12.       application:
    13.           days: 1
    14.           streams:
    15.             - days: 4
    16.               selector: '{kubernetes_namespace_name=~"test.+"}' (2)
    17.       infrastructure:
    18.         retention:
    19.           days: 5
    20.           streams:
    21.             - days: 1
    22.               selector: '{kubernetes_namespace_name=~"openshift-cluster.+"}'
    23.   managementState: Managed
    24.   replicationFactor: 1
    25.   size: 1x.small
    26.   storage:
    27.     schemas:
    29.       version: v11
    30.     secret:
    31.       name: logging-loki-s3
    32.       type: aws
    33.   storageClassName: standard
    34.   tenants:
    35.     mode: openshift-logging
    1. oc apply -f <file-name>.yaml

    This is not for managing the retention for stored logs. Global retention periods for stored logs to a supported maximum of 30 days is configured with your object storage.

    Enables multi-line error detection of container logs.

    Enabling this feature could have performance implications and may require additional computing resources or alternate logging solutions.

    Log parsers often incorrectly identify separate lines of the same exception as separate exceptions. This leads to extra log entries and an incomplete or inaccurate view of the traced information.

    Example java exception

    • To enable logging to detect multi-line exceptions and reassemble them into a single log entry, ensure that the ClusterLogForwarder Custom Resource (CR) contains a detectMultilineErrors field, with a value of true.

    Example ClusterLogForwarder CR

    1. apiVersion: logging.openshift.io/v1
    2. kind: ClusterLogForwarder
    3. metadata:
    4.   name: instance
    5.   namespace: openshift-logging
    6. spec:
    7.   pipelines:
    8.     - name: my-app-logs
    9.       inputRefs:
    10.         - application
    11.       outputRefs:
    12.         - default
    13.       detectMultilineErrors: true

    When log messages appear as a consecutive sequence forming an exception stack trace, they are combined into a single, unified log record. The first log message’s content is replaced with the concatenated content of all the message fields in the sequence.

    Troubleshooting

    When enabled, the collector configuration will include a new section with type: detect_exceptions

    Example vector configuration section

    1. [transforms.detect_exceptions_app-logs]
    2.  type = "detect_exceptions"
    3.  inputs = ["application"]
    4.  languages = ["All"]
    5.  group_by = ["kubernetes.namespace_name","kubernetes.pod_name","kubernetes.container_name"]
    6.  expire_after_ms = 2000
    7.  multiline_flush_interval_ms = 1000
    1. <label @MULTILINE_APP_LOGS>
    2.   <match kubernetes.**>
    3.     @type detect_exceptions
    4.     remove_tag_prefix 'kubernetes'
    5.     message message
    6.     force_line_breaks true
    7.     multiline_flush_interval .2
    8.   </match>

    Loki alerting rules use LogQL and follow . You can set log based alerts by creating an AlertingRule custom resource (CR). AlertingRule CRs may be created for application, audit, or infrastructure tenants.

    Tenant typeValid namespaces

    application

    audit

    openshift-logging

    infrastructure

    openshift-/, kube-/\, default

    Application, Audit, and Infrastructure alerts are sent to the Cluster Monitoring Operator (CMO) Alertmanager in the openshift-monitoring namespace by default unless you have disabled the local Alertmanager instance.

    Application alerts are not sent to the CMO Alertmanager in the openshift-user-workload-monitoring namespace by default unless you have enabled a separate Alertmanager instance.

    The AlertingRule CR contains a set of specifications and webhook validation definitions to declare groups of alerting rules for a single LokiStack instance. In addition, the webhook validation definition provides support for rule validation conditions:

    • If an AlertingRule CR includes an invalid interval period, it is an invalid alerting rule

    • If an AlertingRule CR includes an invalid for period, it is an invalid alerting rule.

    • If an AlertingRule CR includes an invalid LogQL expr, it is an invalid alerting rule.

    • If an AlertingRule CR includes two groups with the same name, it is an invalid alerting rule.

    • If none of above applies, an AlertingRule is considered a valid alerting rule.

    Prerequisites

    • Logging subsystem for Red Hat OpenShift Operator 5.7 and later

    • OKD 4.13 and later

    Procedure

    1. Create an AlertingRule CR:

    2. Populate your AlertingRule CR using the appropriate example below:

      Example infrastructure AlertingRule CR

      2.   kind: AlertingRule
      3.   metadata:
      4.     name: loki-operator-alerts
      5.     namespace: openshift-operators-redhat (1)
      6.     labels: (2)
      7.       openshift.io/cluster-monitoring: "true"
      8.   spec:
      9.     tenantID: "infrastructure" (3)
      10.     groups:
      11.       - name: LokiOperatorHighReconciliationError
      12.         rules:
      13.           - alert: HighPercentageError
      14.             expr: | (4)
      15.               sum(rate({kubernetes_namespace_name="openshift-operators-redhat", kubernetes_pod_name=~"loki-operator-controller-manager.*"} |= "error" [1m])) by (job)
      16.                 /
      17.               sum(rate({kubernetes_namespace_name="openshift-operators-redhat", kubernetes_pod_name=~"loki-operator-controller-manager.*"}[1m])) by (job)
      18.                 > 0.01
      19.             for: 10s
      20.             labels:
      21.               severity: critical (5)
      22.             annotations:
      23.               summary: High Loki Operator Reconciliation Errors (6)
      24.               description: High Loki Operator Reconciliation Errors (7)
      1The namespace where this AlertingRule is created must have a label matching the LokiStack spec.rules.namespaceSelector definition.
      2The labels block must match the LokiStack spec.rules.selector definition.
      3AlertingRules for infrastructure tenants are only supported in the openshift-, kube-\, or default namespaces.
      4Value for kubernetes_namespace_name: must match the value for metadata.namespace.
      5Mandatory field. Must be critical, warning, or info.
      6Mandatory field.
      7Mandatory field.
      1.   apiVersion: loki.grafana.com/v1
      2.   kind: AlertingRule
      3.   metadata:
      4.     name: app-user-workload
      5.     namespace: app-ns (1)
      6.     labels: (2)
      7.       openshift.io/cluster-monitoring: "true"
      8.   spec:
      9.     tenantID: "application"
      10.     groups:
      11.       - name: AppUserWorkloadHighError
      12.         rules:
      13.           - alert:
      14.             expr: | (3)
      15.             sum(rate({kubernetes_namespace_name="app-ns", kubernetes_pod_name=~"podName.*"} |= "error" [1m])) by (job)
      16.             for: 10s
      17.             labels:
      18.               severity: critical (4)
      19.             annotations:
      20.               summary:  (5)
      21.               description:  (6)