How to reduce the logs in OpenShift Logging when there are too many logs

Environment

• Red Hat OpenShift Container Platform (RHOCP)
  • 4
• Red Hat OpenShift Logging (RHOL)
  • 5

Issue

• How the number or volume of logs in OpenShift Logging can be limited when there are too many logs.

Resolution

The following methods may be used to reduce the number or volume of logs:

• When enabling audit log: The audit log policy allows to decide which audit logs to retrieve. However, default is the next lowest log volume setting after none. If WriteRequestBodies or AllRequestBodies is set, please consider changing it or use the Api Audit filter
• When using syslog forwarding: In the ClusterLogForwarder configuration for syslog forwarding, there is a syslog parameter called payloadKey. This parameter specifies the record field to forward. Note that configuring the payloadKey will cause not full audit logs are sent as explained in ClusterLogForwarder is not sending full audit logs to external rsyslog.
• Filtering the logs:
  • By namespace
  • By specific pods
  • By content
  • By metadata

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.