ClusterLogForwarder Prune Filter Not Removing Fields from the Audit Logs

Solution Verified - Updated -

Issue

  • When using ClusterLogForwarder with prune filter to remove specific fields from the Kubernetes audit logs does not work
  • Only the optional field .hostname is removed; all other fields (.sourceIPs, .requestReceivedTimestamp, .apiVersion, .requestURI, .userAgent, .user.uid, .stage, .stageTimestamp) remain in the logs.

  • Prune filter for audit logs is not correctly pruning the list fields. The prune configuration is:

      filters:
  - name: remove-unwanted-fields
    type: prune
    prune:
      in:
      - .requestReceivedTimestamp
      - .apiVersion
      - .requestURI
      - .userAgent
      - .stage
      - .stageTimestamp
 [...]
  pipelines:
  - name: audit-logs
    inputRefs:  
    - audit 
    filterRefs: 
      - remove-unwanted-fields
    outputRefs:
    - ocp-lokistack

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Red Hat OpenShift Logging (RHOL)
    • 6.4.1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content