ClusterLogForwarder is not sending full audit logs to external rsyslog - Red Hat Customer Portal

Issue

Enabled ClusterLogForwarder to send audit logs to external rsyslog log aggregator, but full audit logs are not appearing.
Checking the OpenShift audit logs on the node using oc node-logs, full log entries are shown.

The output send from the ClusterLogForwarder, only the following is shown:

fluentd: type=ANOM_PROMISCUOUS msg=audit(xxxxxxxxxx.989:205): dev=vethxxxxxxxx prom=0 old_prom=256 auid=4xxxxxxx5 uid=800 gid=801 ses=4xxxxxxx 5AUID="unset" UID="openvswitch" GID="xxxxxfs"

The collector is not forwarding the logs to external rsyslog server when RFC5424 is used with ClusterLogForwarder custom resource.
The payloadKey syslog parameter is configured to message to capture audit messages.

Environment

Red Hat OpenShift Container Platform (RHOCP)
- 4
Red Hat OpenShift Logging (RHOL)
- 5
- 6
Fluentd
Vector
ClusterLogForwarder
Syslog protocol

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content

Quick Links

Help

Site Info

Related Sites

Copyright © 2026 Red Hat

Here are the common uses of Markdown.

Code blocks

~~~
Code surrounded in tildes is easier to read
~~~

Links/URLs

[Red Hat Customer Portal](https://access.redhat.com)