Understanding Red Hat OpenShift Logging

    OpenShift Logging aggregates the following types of logs:

    • - Container logs generated by user applications running in the cluster, except infrastructure container applications.

    • infrastructure - Logs generated by infrastructure components running in the cluster and OKD nodes, such as journal logs. Infrastructure components are pods that run in the openshift*, kube*, or default projects.

    OKD cluster administrators can deploy OpenShift Logging using the OKD web console or CLI to install the OpenShift Elasticsearch Operator and Red Hat OpenShift Logging Operator. When the operators are installed, you create a ClusterLogging custom resource (CR) to schedule OpenShift Logging pods and other resources necessary to support OpenShift Logging. The operators are responsible for deploying, upgrading, and maintaining OpenShift Logging.

    The ClusterLogging CR defines a complete OpenShift Logging environment that includes all the components of the logging stack to collect, store and visualize logs. The Red Hat OpenShift Logging Operator watches the OpenShift Logging CR and adjusts the logging deployment accordingly.

    Administrators and application developers can view the logs of the projects for which they have view access.

    For information, see Configuring the log collector.

    The OpenShift Logging components include a collector deployed to each node in the OKD cluster that collects all node and container logs and writes them to a log store. You can use a centralized web UI to create rich visualizations and dashboards with the aggregated data.

    The major components of OpenShift Logging are:

    • collection - This is the component that collects logs from the cluster, formats them, and forwards them to the log store. The current implementation is Fluentd.

    • visualization - This is the UI component you can use to view logs, graphs, charts, and so forth. The current implementation is Kibana.

    This document might refer to log store or Elasticsearch, visualization or Kibana, collection or Fluentd, interchangeably, except where noted.

    About the logging collector

    OKD uses Fluentd to collect container and node logs.

    By default, the log collector uses the following sources:

    • journald for all system logs

    If you configure the log collector to collect audit logs, it gets them from /var/log/audit/audit.log.

    The logging collector is a daemon set that deploys pods to each OKD node. System and infrastructure logs are generated by journald log messages from the operating system, the container runtime, and OKD. Application logs are generated by the CRI-O container engine. Fluentd collects the logs from these sources and forwards them internally or externally as you configure in OKD.

    The container runtimes provide minimal information to identify the source of log messages: project, pod name, and container ID. This information is not sufficient to uniquely identify the source of the logs. If a pod with a given name and project is deleted before the log collector begins processing its logs, information from the API server, such as labels and annotations, might not be available. There might not be a way to distinguish the log messages from a similarly named pod and project or trace the logs to their source. This limitation means that log collection and normalization are considered best effort.

    For information, see Configuring the log collector.

    By default, OKD uses to store log data. Optionally, you can use the log forwarding features to forward logs to external log stores using Fluentd protocols, syslog protocols, or the OKD Log Forwarding API.

    Elasticsearch organizes the log data from Fluentd into datastores, or indices, then subdivides each index into multiple pieces called shards, which it spreads across a set of Elasticsearch nodes in an Elasticsearch cluster. You can configure Elasticsearch to make copies of the shards, called replicas, which Elasticsearch also spreads across the Elasticsearch nodes. The custom resource (CR) allows you to specify how the shards are replicated to provide data redundancy and resilience to failure. You can also specify how long the different types of logs are retained using a retention policy in the ClusterLogging CR.

    The Red Hat OpenShift Logging Operator and companion OpenShift Elasticsearch Operator ensure that each Elasticsearch node is deployed using a unique deployment that includes its own storage volume. You can use a ClusterLogging custom resource (CR) to increase the number of Elasticsearch nodes, as needed. See the Elasticsearch documentation for considerations involved in configuring storage.

    Role-based access control (RBAC) applied on the Elasticsearch indices enables the controlled access of the logs to the developers. Administrators can access all logs and developers can access only the logs in their projects.

    For information, see .

    About logging visualization

    OKD uses Kibana to display the log data collected by Fluentd and indexed by Elasticsearch.

    Kibana is a browser-based console interface to query, discover, and visualize your Elasticsearch data through histograms, line graphs, pie charts, and other visualizations.

    For information, see .

    The Event Router is a pod that watches OKD events so they can be collected by OpenShift Logging. The Event Router collects events from all projects and writes them to STDOUT. Fluentd collects those events and forwards them into the OKD Elasticsearch instance. Elasticsearch indexes the events to the infra index.

    You must manually deploy the Event Router.

    For information, see Collecting and storing Kubernetes events.

    About log forwarding

    For information, see Forwarding logs to third-party systems.