Audit logging in your cluster

The audit logging feature provides the capability to collect audit logs generated by various platform services and send them to Security information and event management (SIEM).

Audit log format

Audit data that is generated within platform services conforms to the Cloud Auditing Data Federation (CADF) standard. The CADF event is logged in JSON format.

Location of audit logs

The audit data that is generated within each service is first sent to systemd journal on the node where the service is running. A fluentd daemonset is deployed as part of audit logging. On each node, fluentd retrieves the audit data from systemd journal log and sends the data to SIEM. The SIEM service that receives the audit data is the same service that is deployed for collecting application logs. A separate bucket, such as an index, is created in SIEM for audit data.

Enabling and disabling audit logging

Complete the following steps to enable or disable audit logging.

1. From the Red Hat® OpenShift® Container Platform console, click Workloads > ConfigMap.
2. Search for the ConfigMap of the service for which you want to enable logging. Click Edit.
3. Set the key related to auditing to true or false to enable or disable audit logging for that service. Click Submit.
4. Remove all the pods that belong to the service. The pods are re-created with auditing enabled or disabled. You can view services in the following locations:
   • From the Red Hat OpenShift Container Platform console, click Workloads > DaemonSets.
   • From the Red Hat OpenShift Container Platform console, click Workloads > Deployments.