Release notes

Red Hat OpenShift Logging 6.4

Highlights of what is new and what has changed with this OpenShift logging release.

Red Hat OpenShift Documentation Team

Abstract

The release notes for OpenShift logging summarize all new features and enhancements, notable technical changes, major corrections from the previous version, and any known bugs upon general availability.

Chapter 1. Logging 6.4 release notes

1.1. Logging 6.4.3 release notes

This release includes RHSA-2026:4498.

1.1.1. Bug fixes

  • Before this update, the k8s_audit_level field could become null when you referenced it in the .notIn section of a prune filter for audit logs. This happened because k8s_audit_level depends on .structured.level. If you pruned .structured.level, the audit level was lost. As a result, audit logs reached the output destination without their associated audit level metadata, complicating log analysis. With this update, the pruning logic ensures the k8s_audit_level field retains its value. As a result, audit metadata remains intact even when you use custom prune filters. (This content is not included.LOG-8289)
  • Before this update, prune filters for audit logs did not preserve the .auditID field unless you referenced it as .structured.auditID in the .notIn section. Referencing .auditID caused the field to be removed from the output. With this update, the pruning logic correctly preserves the auditID field when you reference it as .auditID. As a result, you do not need to use .structured.auditID. (This content is not included.LOG-8291)
  • Before this update, prune filters did not work as expected for audit logs when you referenced fields such as .requestURI or .stage. The logging pipeline stored audit log fields under .structured during processing. It applied the prune filter earlier in the pipeline, before restoring those fields to the top-level log structure. As a result, the prune filter did not remove the specified fields. With this update, the system applies the prune filter at the correct stage of the pipeline. As a result, audit log fields are pruned according to the configured rules. (This content is not included.LOG-8597)

1.1.2. CVEs

1.2. Logging 6.4.2 release notes

This release includes RHBA-2026:1923.

1.2.1. New features and enhancements

  • With this update, administrators can provide a set of custom headers when configuring log forwarding to an Elasticsearch cluster. (This content is not included.LOG-7804)
  • With this update, an alert is added to identify when a ClusterLogForwarder sink is generating an error condition. For example, the alert triggers when the collector is unable to connect to a sink because the connection is refused. (This content is not included.LOG-7896)

1.2.2. Bug fixes

  • Before this update, the collector merged large application log messages without restriction. As a consequence, large messages could overflow an output buffer, causing Vector to crash and enter a repeated CrashLoopBackOff state. With this update, the MaxMessageSize tuning parameter for application logs is introduced to limit the size of messages and discard those that exceed the threshold. As a result, the collector remains stable and avoids high-impact log loss. (This content is not included.LOG-7347)
  • Before this update, you could leave the logType field empty in the Azure Monitor output specification. However, logType field is required by the Vector collector. Missing logType field causes Vector collector failure. With this update you cannot pass an empty logType field for the Azure Monitor in the ClusterLogForwarder custom resource (CR). As a result, Vector pods no longer crash due to missing logType definition. (This content is not included.LOG-8007)
  • Before this update, an EventRouter message with a newline character (\n) caused malformed syslog data and split events due to broken framing. With this update, newline characters in log message payloads are properly escaped. As a result, the syslog sink emits a single, well-formed line even when an EventRouter message contains a newline character. (This content is not included.LOG-8090)
  • Before this update, if you did not define a port for the http/https output, enabling NetworkPolicy for the Red Hat OpenShift Logging Operator blocked egress for the collector. With this update, the NetworkPolicy is updated to use well-known port values for http/https ports. As a result, egress for a collector is not blocked if you enable NetworkPolicy without specifying the port for http/https output. (This content is not included.LOG-8091)
  • Before this update, the RestrictIngressEgress network policy blocked traffic to the HTTP proxy. As a consequence, user logs were not forwarded to the HTTP output via HTTP proxy. With this update, the network policy for RestrictIngressEgress allows traffic to the HTTP proxy. As a result, you can forward logs to the HTTP output via HTTP proxy with RestrictIngressEgress network policy in place. (This content is not included.LOG-8109)
  • Before this update, the network policy port list lacked sorting when multiple outputs or inputs receivers were present in the ClusterLogForwarder custom resource (CR). As a consequence, the user experience was inconsistent with port order in network policies when multiple outputs or inputs were present. With this update, network policy port sorting is fixed for serialization consistency. As a result, the network policy port order remains consistent, reducing unexpected changes in the end user’s ClusterLogForwarder configuration. (This content is not included.LOG-8129)
  • Before this update, enabling the RestrictIngressEgress network policy rule restricted scraping of collector metrics. This update fixes the issue by deploying a network policy that relies upon the port number instead of the named port. As a result, you can now scrape collector metrics with the RestrictIngressEgress network policy enabled. (This content is not included.LOG-8130)
  • Before this update, the LokiStack API specification did not specify that container fields cannot be pruned in LokiStack. As a result, the output contained the container fields even if users pruned them in the LokiStack CR. With this update, the LokiStack API specification states that container cannot be pruned. (This content is not included.LOG-8507)
  • Before this update, a short timeout between the distributor and ingester component caused HTTP 503 errors when ingesting logs into LokiStack under high loads. With this update, the timeout is increased to prevent the errors. (This content is not included.LOG-8583)
  • Before this update, the ClusterLogForwarderOutputErrorRate alert lacked a corresponding runbook. With this update, the missing runbook is added. (This content is not included.LOG-8593)
  • Before this update, enabling rateLimitPerContainer caused error events stating Missing fields on event: ["file"] due to incorrect configuration generation for the throttle section. With this update, the throttle configuration is generated correctly and all expected event fields are preserved when container rate limiting is active. (This content is not included.LOG-8612)

1.3. Logging 6.4.1 release notes

This release includes RHBA-2025:23055.

1.3.1. Bug fixes

  • Before this update, buffer corruption following an Out-Of-Memory (OOM) event caused deserialization errors that blocked log forwarding and reduced OpenShift Logging resilience. This update improves the recovery logic for corrupted buffer files and prevents log forwarding issues after OOM events. The collector now successfully recovers from OOM events and subsequent buffer corruption, ensuring continuous log forwarding. (This content is not included.LOG-7947)

1.4. Logging 6.4.0 release notes

This release of OpenShift Logging is supported on OpenShift Container Platform 4.18 and later. This release includes new features and bug fixes.

This release includes RHBA-2025:21335.

1.4.1. New features and enhancements

1.4.1.1. Log collection

  • With this release, the Vector collector has been updated to be based on Vector version 0.47.0. (This content is not included.LOG-7166)
  • With this release, the permissions required by the Red Hat OpenShift Logging Operator have been reduced to only those required for deploying the log collector. Permissions for functions that are no longer supported by the operator have been removed. (This content is not included.LOG-7473)
  • This release provides changes to log collector deployments to promote Technology Preview configuration options introduced in This content is not included.LOG-7196 to General Availability. The change enables caching of kube API server calls and introduces a ClusterLogForwarder field to tune collector rollout strategy. Administrators managing clusters with large numbers of nodes can now modify the collector upgrade behavior so that the collector requests do not overwhelm the Kubernetes API server. You can control the behavior by setting MaxUnavailable field for collectors during upgrade.(This content is not included.LOG-7587)
  • With this release, an alert has been added to notify administrators of deprecated features that will be removed in future releases. As a result, you can make adjustments as needed. (This content is not included.LOG-7596)
  • With this release, you can forward logs to AWS S3-compatible services using a new s3 output type. The output supports custom endpoints and multiple authentication methods. It also provides flexible options for log organization that you can configure with dynamic key prefix templating, and tuning of log compression and batching. (This content is not included.LOG-7683)
  • With this release, cross-account log forwarding is available for both CloudWatch and S3 outputs using the AWS AssumeRole functionality. This feature enables centralized logging by using a secure, two-step authentication process. By doing so, it upholds the principle of least privilege and maintains strong security boundaries, promoting a clear separation of concerns in the target account. (This content is not included.LOG-7687)
  • With this release, Red Hat OpenShift Logging Operator optionally provides permissive NetworkPolicy resources to override any restrictive network policies present in an OpenShift Container Platform cluster. For more information, see Network policies to override restrictive network in a cluster.

1.4.1.2. Log storage

  • With this release, a new alert has been added to the LokiStack to inform users if LokiStack components have not reached the ready state. (This content is not included.LOG-5470)
  • With this release, the statistics page has been improved to help users better understand the performance of a query. (This content is not included.LOG-7746)
  • With this release, Loki Operator can deploy and manage a set of network policies that restrict the communications to and from the Loki components to enhance security. For more information, see Loki network policies for added security.

1.4.2. Technology preview features

Important

The OpenTelemetry Protocol (OTLP) output log forwarder is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

1.4.3. Bug fixes

  • Before this update, the sample code for creating an AlertingRule resource in the web user interface did not contain all the description annotations. With this update, the missing description annotation have been added. (This content is not included.LOG-6782)
  • Before this update, the Red Hat OpenShift Logging Operator generated configuration that did not account for unmatched log events, and produced a warning message when the collector started. With this update, unmatched log events are accounted for and an error alert is produced if unmatched messages are detected. The warning message has been removed. (This content is not included.LOG-6807)
  • Before this update, user action of generating an info-level log message containing the keyword error was incorrectly highlighted as errors in the OpenShift Container Platform web console. With this update, the web console no longer highlights info-level logs containing the error keyword as errors. (This content is not included.LOG-7222)
  • Before this update, the clusterLogForwarder API did not validate the URL scheme for Kafka outputs. This could cause users to configure a Kafka output with an invalid URL that was missing the required tcp:// or tls:// prefix, leading to a silent failure where logs were not forwarded as expected. With this update, new validation has been added to the API. The clusterLogForwarder now rejects configurations with a Kafka URL that does not have a tcp or tls scheme, preventing the misconfiguration and ensuring logs can be forwarded successfully. (This content is not included.LOG-7340)
  • Before this update, the vector_buffer_byte_size and vector_buffer_events metrics incorrectly reported negative values under certain system load and timing conditions. This led to unreliable monitoring, potentially masking buffer issues. With this update, a concurrent, centralized state tracker ensures that these metrics are always reported as non-negative values. This ensures that the metrics correctly report buffer sizes helping with accurate monitoring. (This content is not included.LOG-7436)
  • Before this fix, Vector could not recover from silently closed TCP connections. With this update, Vector uses keepalive probes to detect and automatically re-establish unresponsive TCP connections. (This content is not included.LOG-7502)
  • Before this update, the ClusterLogForwarder API required the URL for OTLP endpoints to terminate with v1/logs. With this update, this requirement has been relaxed to allow any URL that specifies an http or https protocol. (This content is not included.LOG-7582)
  • Before this update, any request that exceeded a Kafka broker’s message.max.size value would be rejected because the collector’s tuning did not correctly set an allowable producer configuration. With this update, you can set the collector’s kafka client configuration to allow message sizes that are equal to or smaller than the MaxSize value. (This content is not included.LOG-7608)
  • Before this update, the prune filter failed to remove the .openshift.sequence field from the log record. With this update, the field is correctly pruned from the log record. (This content is not included.LOG-7620)
  • Before this update, the prune filter failed to remove the .kubernetes.container_iostream field from the log record. With this fix, the field is now correctly pruned from the log record. (This content is not included.LOG-7622)

1.4.4. Deprecation notice

In this release, the 'observability.openshift.io/max-unavailable-rollout' annotation is deprecated and will be removed in a future release. The annotation has been replaced by the spec.collector.maxUnavailable field in the ClusterLogForwarder resource. For more information, see Configuring pod rollout strategy.

1.4.5. Removal notice

In this release, the observability.openshift.io/use-apiserver-cache annotation has been removed. With this release, kube-api caching is now always enabled. For more information, see Configuring pod rollout strategy.

1.4.6. Known issues

  • When network policies are enabled in Loki Operator and a S3-compatible object storage, for example Minio or Red Hat OpenShift Data Foundation (ODF), is used, the network policies do not allow access to the object storage. (This content is not included.LOG-8075)
  • When network policies are enabled in Loki Operator and Swift is used as an object storage, the network policies do not allow access to the object storage. (This content is not included.LOG-8083)
  • When network policies are enabled in Loki Operator and a cluster-wide proxy is configured, the network policies do not allow access to object storage. (This content is not included.LOG-8084)
  • When network policies are enabled in Red Hat OpenShift Logging Operator and the Loki output is used without specifying a port in the url field, the egress network policy is created with the wrong port number. (This content is not included.LOG-8091)
  • When network policies are enabled in Red Hat OpenShift Logging Operator and an HTTP output is used together with an HTTP proxy, the egress network policy does not allow access to the HTTP proxy. (This content is not included.LOG-8109)

Legal Notice

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.