Audit logging configuration only uses presets no manual configuration is possible

Solution Unverified - Updated June 13 2024 at 10:24 PM -

Issue

Excessive (many gigabytes) of data is being forwarded to Splunk
Splunk storage has become unmanageable
Only 3 presets are provided in the documentation

Environment

Red Hat Openshift Container Platform (OCP) 4
Using Log forwarding to send logs to an external service like Splunk
Audit logging stack set to default mode or least amount of logging

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content

All systems operational

Copyright © 2025 Red Hat, Inc.

Here are the common uses of Markdown.

Code blocks

~~~
Code surrounded in tildes is easier to read
~~~

Links/URLs

[Red Hat Customer Portal](https://access.redhat.com)