-
Bug
-
Resolution: Done-Errata
-
Major
-
Logging 6.2.0, Logging 6.1.z
-
False
-
None
-
False
-
NEW
-
NEW
-
Before this update, the Vector collector could not forward OVN and Auditd logs. With this update, OVN and Auditd logs are successfully forwarded.
-
Bug Fix
-
-
-
Moderate
Description of problem:
When forwarding logs with Otel data module, vector pods can't forward ovn audit logs and raise below errors:
2025-02-14T08:15:47.173612Z ERROR transform{component_kind="transform" component_id=output_lokistack_ovn_audit_ovn component_type=remap}: vector::internal_events::remap: Internal log [Mapping failed with event.] has been suppressed 11 times.
2025-02-14T08:15:47.173634Z ERROR transform{component_kind="transform" component_id=output_lokistack_ovn_audit_ovn component_type=remap}: vector::internal_events::remap: Mapping failed with event. error="function call error for \"for_each\" at (2094:2220): function call error for \"array\" at (2103:2123): expected array, got null" error_type="conversion_failed" stage="processing" internal_log_rate_limit=true
2025-02-14T08:15:47.173691Z ERROR transform{component_kind="transform" component_id=output_lokistack_ovn_audit_ovn component_type=remap}: vector::internal_events::remap: Internal log [Mapping failed with event.] is being suppressed to avoid flooding.
2025-02-14T08:15:59.485313Z ERROR transform{component_kind="transform" component_id=output_lokistack_ovn_audit_ovn component_type=remap}: vector::internal_events::remap: Internal log [Mapping failed with event.] has been suppressed 11 times.
2025-02-14T08:15:59.485339Z ERROR transform{component_kind="transform" component_id=output_lokistack_ovn_audit_ovn component_type=remap}: vector::internal_events::remap: Mapping failed with event. error="function call error for \"for_each\" at (2094:2220): function call error for \"array\" at (2103:2123): expected array, got null" error_type="conversion_failed" stage="processing" internal_log_rate_limit=true
2025-02-14T08:15:59.485410Z ERROR transform{component_kind="transform" component_id=output_lokistack_ovn_audit_ovn component_type=remap}: vector::internal_events::remap: Internal log [Mapping failed with event.] is being suppressed to avoid flooding.
Example of ovn audit log:
qitang-l9bgw-worker-c-t8b2j 2025-02-14T08:15:57.500Z|00105|acl_log(ovn_pinctrl0)|INFO|name="NP:test1:allow-same-namespace:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:01,dl_dst=0a:58:0a:80:02:28,nw_src=10.131.0.62,nw_dst=10.128.2.40,nw_tos=0,nw_ecn=0,nw_ttl=62,nw_frag=no,tp_src=37406,tp_dst=8080,tcp_flags=ack
Version-Release number of selected component (if applicable):
cluster-logging.v6.1.3
cluster-logging.v6.2.0
How reproducible:
Always
Steps to Reproduce:
1. Forward logs with Otel data module, e.g.:
apiVersion: observability.openshift.io/v1 kind: ClusterLogForwarder metadata: annotations: observability.openshift.io/tech-preview-otlp-output: enabled name: instance-76990 namespace: openshift-logging spec: inputs: - audit: sources: - ovn name: ovn-audit type: audit managementState: Managed outputs: - lokiStack: authentication: token: from: serviceAccount dataModel: Otel target: name: lokistack-76990 namespace: openshift-logging name: lokistack tls: ca: key: ca-bundle.crt secretName: lokistack-secret-76990 type: lokiStack pipelines: - inputRefs: - ovn-audit name: forward-to-lokistack outputRefs: - lokistack serviceAccount: name: logcollector-76990
2. Check vector pod logs
Actual results:
Vector pod raise many errors.
Expected results:
No error and ovn audit logs should be forwarded to log store.
Additional info:
- clones
-
-
- Closed
-
- links to
-
RHBA-2025:148025
Logging for Red Hat OpenShift - 6.1.5
- mentioned on
