×

The ClusterLogForwarder custom resource (CR) is the central configuration point for log collection and forwarding.

Inputs and Outputs

Inputs specify the sources of logs to be forwarded. Logging provides built-in input types: application, infrastructure, and audit, which select logs from different parts of your cluster. You can also define custom inputs based on namespaces or pod labels to fine-tune log selection.

Outputs define the destinations where logs are sent. Each output type has its own set of configuration options, allowing you to customize the behavior and authentication settings.

Receiver Input Type

The receiver input type enables the Logging system to accept logs from external sources. It supports two formats for receiving logs: http and syslog.

The ReceiverSpec defines the configuration for a receiver input.

Pipelines and Filters

Pipelines determine the flow of logs from inputs to outputs. A pipeline consists of one or more input refs, output refs, and optional filter refs. Filters can be used to transform or drop log messages within a pipeline. The order of filters matters, as they are applied sequentially, and earlier filters can prevent log messages from reaching later stages.

Operator Behavior

The Cluster Logging Operator manages the deployment and configuration of the collector based on the managementState field:

  • When set to Managed (default), the operator actively manages the logging resources to match the configuration defined in the spec.

  • When set to Unmanaged, the operator does not take any action, allowing you to manually manage the logging components.

Validation

Logging includes extensive validation rules and default values to ensure a smooth and error-free configuration experience. The ClusterLogForwarder resource enforces validation checks on required fields, dependencies between fields, and the format of input values. Default values are provided for certain fields, reducing the need for explicit configuration in common scenarios.

Quick Start

Prerequisites
  • Cluster administrator permissions

Procedure
  1. Install the OpenShift Logging and Loki Operators from OperatorHub.

  2. Create a LokiStack custom resource (CR) in the openshift-logging namespace:

    apiVersion: loki.grafana.com/v1
    kind: LokiStack
    metadata:
      name: logging-loki
      namespace: openshift-logging
    spec:
      managementState: Managed
      size: 1x.extra-small
      storage:
        schemas:
        - effectiveDate: '2022-06-01'
          version: v13
        secret:
          name: logging-loki-s3
          type: s3
        storageClassName: gp3-csi
      tenants:
        mode: openshift-logging
  3. Create a service account for the collector:

    $ oc create sa collector -n openshift-logging
  4. Create a ClusterRole for the collector:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: logging-collector-logs-writer
    rules:
    - apiGroups:
      - loki.grafana.com
      resourceNames:
      - logs
      resources:
      - application
      - audit
      - infrastructure
      verbs:
      - create
  5. Bind the ClusterRole to the service account:

    $ oc adm policy add-cluster-role-to-user logging-collector-logs-writer -z collector
  6. Install the Cluster Observability Operator.

  7. Create a UIPlugin to enable the Log section in the Observe tab:

    apiVersion: observability.openshift.io/v1alpha1
    kind: UIPlugin
    metadata:
      name: logging
    spec:
      type: Logging
      logging:
        lokiStack:
          name: logging-loki
  8. Add additional roles to the collector service account:

    $ oc project openshift-logging
    $ oc adm policy add-cluster-role-to-user collect-application-logs -z collector
    $ oc adm policy add-cluster-role-to-user collect-audit-logs -z collector
    $ oc adm policy add-cluster-role-to-user collect-infrastructure-logs -z collector
  9. Create a ClusterLogForwarder CR to configure log forwarding:

    apiVersion: observability.openshift.io/v1
    kind: ClusterLogForwarder
    metadata:
      name: collector
      namespace: openshift-logging
    spec:
      serviceAccount:
        name: collector
      outputs:
      - name: default-lokistack
        type: lokiStack
        lokiStack:
          target:
            name: logging-loki
            namespace: openshift-logging
        authentication:
          token:
            from: serviceAccount
        tls:
          ca:
            key: service-ca.crt
            configMapName: openshift-service-ca.crt
      pipelines:
      - name: default-logstore
        inputRefs:
        - application
        - infrastructure
        outputRefs:
        - default-lokistack
  10. Verify that logs are visible in the Log section of the Observe tab in the OpenShift web console.