Red Hat SummitChapter 10. Viewing logs and audit records
As a cluster administrator, you can use the OpenShift AI Operator logger to monitor and troubleshoot issues. You can also use OpenShift audit records to review a history of changes made to the OpenShift AI Operator configuration.
10.1. Configuring the OpenShift AI Operator logger
You can change the log level for OpenShift AI Operator components by setting the .spec.devFlags.logmode flag for the DSC Initialization/DSCI custom resource during runtime. If you do not set a logmode value, the logger uses the INFO log level by default.
The log level that you set with .spec.devFlags.logmode applies to all components, not just those in a Managed state.
The following table shows the available log levels:
| Log level | Stacktrace level | Verbosity | Output | Timestamp type |
|---|---|---|---|---|
|
| WARN | INFO | Console | Epoch timestamps |
|
| ERROR | INFO | JSON | Human-readable timestamps |
|
| ERROR | INFO | JSON | Human-readable timestamps |
Logs that are set to devel or development generate in a plain text console format. Logs that are set to prod, production, or which do not have a level set generate in a JSON format.
Prerequisites
-
You have administrator access to the
DSCInitializationresources in the OpenShift cluster. -
You installed the OpenShift command line interface (
oc) as described in Installing the OpenShift CLI.
Procedure
- Log in to the OpenShift as a cluster administrator.
-
Click Operators
Installed Operators and then click the Red Hat OpenShift AI Operator. - Click the DSC Initialization tab.
- Click the default-dsci object.
- Click the YAML tab.
In the
specsection, update the.spec.devFlags.logmodeflag with the log level that you want to set.Copy to Clipboard Copied! Toggle word wrap Toggle overflow apiVersion: dscinitialization.opendatahub.io/v1 kind: DSCInitialization metadata: name: default-dsci spec: devFlags: logmode: developmentapiVersion: dscinitialization.opendatahub.io/v1 kind: DSCInitialization metadata: name: default-dsci spec: devFlags: logmode: development- Click Save.
You can also configure the log level from the OpenShift CLI by using the following command with the logmode value set to the log level that you want.
oc patch dsci default-dsci -p '{"spec":{"devFlags":{"logmode":"development"}}}' --type=merge
oc patch dsci default-dsci -p '{"spec":{"devFlags":{"logmode":"development"}}}' --type=mergeVerification
-
If you set the component log level to
develordevelopment, logs generate more frequently and include logs atWARNlevel and above. -
If you set the component log level to
prodorproduction, or do not set a log level, logs generate less frequently and include logs atERRORlevel or above.
10.1.1. Viewing the OpenShift AI Operator log
- Log in to the OpenShift CLI.
Run the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc get pods -l name=rhods-operator -o name -n redhat-ods-operator | xargs -I {} oc logs -f {} -n redhat-ods-operatoroc get pods -l name=rhods-operator -o name -n redhat-ods-operator | xargs -I {} oc logs -f {} -n redhat-ods-operatorThe operator pod log opens.
You can also view the operator pod log in the OpenShift Console, under Workloads redhat-ods-operator
10.2. Viewing audit records
Cluster administrators can use OpenShift auditing to see changes made to the OpenShift AI Operator configuration by reviewing modifications to the DataScienceCluster (DSC) and DSCInitialization (DSCI) custom resources. Audit logging is enabled by default in standard OpenShift cluster configurations. For more information, see Viewing audit logs in the OpenShift documentation.
In Red Hat OpenShift Service on Amazon Web Services with hosted control planes (ROSA HCP), audit logging is disabled by default because the Elasticsearch log store does not provide secure storage for audit logs. To send the audit logs to Amazon CloudWatch, see Forwarding logs to Amazon CloudWatch.
The following example shows how to use the OpenShift audit logs to see the history of changes made (by users) to the DSC and DSCI custom resources.
Prerequisites
- You have cluster administrator privileges for your OpenShift cluster.
-
You installed the OpenShift command line interface (
oc) as described in Installing the OpenShift CLI.
Procedure
In a terminal window, if you are not already logged in to your OpenShift cluster as a cluster administrator, log in to the OpenShift CLI as shown in the following example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc login <openshift_cluster_url> -u <admin_username> -p <password>
$ oc login <openshift_cluster_url> -u <admin_username> -p <password>-
To access the full content of the changed custom resources, set the OpenShift audit log policy to
WriteRequestBodiesor a more comprehensive profile. For more information, see About audit log policy profiles. Fetch the audit log files that are available for the relevant control plane nodes. For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc adm node-logs --role=master --path=kube-apiserver/ \ | awk '{ print $1 }' | sort -u \ | while read node ; do oc adm node-logs $node --path=kube-apiserver/audit.log < /dev/null done \ | grep opendatahub > /tmp/kube-apiserver-audit-opendatahub.logoc adm node-logs --role=master --path=kube-apiserver/ \ | awk '{ print $1 }' | sort -u \ | while read node ; do oc adm node-logs $node --path=kube-apiserver/audit.log < /dev/null done \ | grep opendatahub > /tmp/kube-apiserver-audit-opendatahub.logSearch the files for the DSC and DSCI custom resources. For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow jq 'select((.objectRef.apiGroup == "dscinitialization.opendatahub.io" or .objectRef.apiGroup == "datasciencecluster.opendatahub.io") and .user.username != "system:serviceaccount:redhat-ods-operator:redhat-ods-operator-controller-manager" and .verb != "get" and .verb != "watch" and .verb != "list")' < /tmp/kube-apiserver-audit-opendatahub.logjq 'select((.objectRef.apiGroup == "dscinitialization.opendatahub.io" or .objectRef.apiGroup == "datasciencecluster.opendatahub.io") and .user.username != "system:serviceaccount:redhat-ods-operator:redhat-ods-operator-controller-manager" and .verb != "get" and .verb != "watch" and .verb != "list")' < /tmp/kube-apiserver-audit-opendatahub.log
Verification
- The commands return relevant log entries.
To configure the log retention time, see the Logging section in the OpenShift documentation.
Additional resources
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}