ClusterLogForwarder is not sending full audit logs

Solution Verified - Updated -


  • Enabled ClusterLogForwarder to send audit logs to our external log aggregator
  • Full audit logs are not appearing
  • Checking the OpenShift audit logs on the node using oc node-logs I see full log entries
  • But when I receive the output from the ClusterLogForwarder I am only getting the following:
Jan 2 12:12:10 fluentd-xxxxx fluentd: type=ANOM_PROMISCUOUS msg=audit(xxxxxxxxxx.989:205): dev=vethxxxxxxxx prom=0 old_prom=256 auid=4xxxxxxx5 uid=800 gid=801 ses=4xxxxxxx 5AUID="unset" UID="openvswitch" GID="xxxxxfs"
  • Set payloadKey to message to capture audit messages


  • Red Hat OpenShift Container Platform
    • 4.6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In