OpenShift audit logs in OSD and ROSA

Solution Verified - Updated -


  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4
  • Red Hat OpenShift Logging (RHOL)
    • 5


  • How to get the audit logs from a ROSA cluster.
  • How to access to the audit logs from an OSD cluster.
  • The AWS CloudWatch integration is enabled in ROSA/OSD, but audit logs are not shown.


As explained in the Logging section of the ROSA Service Definition and in the Logging section of the OSD Service Definition, it's possible to integrate the OSD and ROSA logging with AWS CloudWatch.

To integrate the OSD/ROSA logging with AWS CloudWatch, refer to the documentation for Forwarding logs to Amazon CloudWatch (RHOL needs to be installed, as the Cluster Logging Operator add-on is now deprecated). It is also possible to forward the audit logs to other external third-party logging systems supported by the Red Hat OpenShift Logging operator.

For ROSA (Red Hat OpenShift Services on AWS) and OSD clusters with CCS account, it's possible to collect audit logs with the oc adm must-gather command as explained in Gathering audit logs in ROSA and Gathering audit logs in OSD:

$ oc adm must-gather -- /usr/bin/gather_audit_logs

Note: Audit logs rotate approximately every 24 hours in the nodes.

For non-CCS OSD clusters (as no cluster-admin is provided), if the integration with AWS CloudWatch or any other logging systems is not configured, it's possible to request the audit logs by opening a support case with Red Hat.

IMPORTANT: The application and infrastructure logs are not stored by Red Hat and cannot be requested this way. For the application and infrastructure logs, it's needed to configure the Red Hat OpenShift Logging operator to collect those logs.

Root Cause

In OSD and ROSA, it's possible to integrate the logging with AWS CloudWatch, and also to enable the collection of the audit logs.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.