Red Hat SummitChapter 1. Logging 6.5 release notes
This release of OpenShift Logging is supported on OpenShift Container Platform 4.19 and later.
1.1. Logging 6.5.1 Release Notes
This release includes RHSA-2026:16354.
1.1.1. Fixed issues
The following issues are fixed in this release of OpenShift Logging.
- Vector cannot authenticate to Kafka 4.0.0 with SASL mechanism SCRAM-SHA-512
Previously, Vector could fail to authenticate to Kafka 4.0.0 when using the SCRAM-SHA-512 SASL mechanism, which could lead to connection issues and stalled producers. With this update, the
rdkafkalibrary has been upgraded to 0.38.0, resolving these authentication issues and ensuring stable connectivity to Kafka 4.0.0 clusters.- Duplicate case-variant 'Accept' and 'accept' headers in CLF lead to
media_type_header_exceptionin Elasticsearch output Previously, duplicate case-variant headers (such as Accept and accept) in the
ClusterLogForwardercould cause amedia_type_header_exceptionwhen sending logs to the Elasticsearch output. With this update, header names are normalized usingCanonicalHeaderKey, which prevents duplicate case-variant headers and resolves the exception.- Eventrouter timestamp logic for updates causes Loki ingestion rejection
Previously, the Eventrouter used
metadata.creationTimestampas the log timestamp for Kubernetes Events, which could be weeks or months old for repeated events, causing Loki to reject the logs with agreater_than_max_sample_ageerror. With this update,Eventrouternow usesevent.lastTimestampas the primary log timestamp, falling back tofirstTimestamp,eventTime, and thencreationTimestamponly if necessary, ensuring that events are correctly accepted by Loki.- S3 Log Forwarding:
compression: noneignored; defaults to GZIP Previously, setting
compression: nonefor S3 log forwarding was ignored, and logs were always compressed using GZIP by default. With this update, specifyingcompression: noneis correctly respected, allowing logs to be forwarded to S3 without compression as intended.- Unsupported cipher suite error messages on LFME pods
Previously, Log File Metric Exporter (LFME) pods would log "unsupported cipher suite" error messages during startup when encountering certain TLS configurations. This update ensures that all required cipher suites are properly recognized and supported, eliminating these error messages and ensuring consistent TLS behavior.
- Collector memory and cpu usage always growing
Previously, collectors configured to use the
detect_exceptionstransform would create separate instances of the state machine for each log stream, leading to increased memory consumption. With this update, the behavior has been modified to share a single state machine instance across all log streams, significantly reducing the memory usage of the collector.
1.1.2. CVEs
The following CVEs are included in this release of OpenShift Logging.
1.2. Logging 6.5.0 release notes
This release includes RHBA-2026:6393.
1.2.1. New features and enhancements
The following section lists the new features and enhancements introduced in this release of OpenShift Logging. It highlights key improvements, added capabilities, and updates that enhance functionality.
- Automatic trace context enrichment for OTLP log forwarding
With this release, log entries forwarded to OpenTelemetry Protocol (OTLP) or
LokiStackoutputs withdataModel: Otelare automatically enriched with trace context attributes, including trace ID, span ID, and trace flags. This enables you to correlate logs with distributed traces in your observability platform, making it easier to troubleshoot issues across services. Trace context is automatically extracted from log messages without requiring any additional configuration.- Dynamic Pod Disruption Budget for LokiStack ingesters
With this release, the Pod Disruption Budget for
LokiStackingester pods dynamically adjusts based on the configured replication factor and number of ingester replicas, rather than using a hard-coded value determined by theLokiStacksize. This helps ensure high availability is maintained when you customize the replication factor beyond the default value for your selectedLokiStacksize.- OpenTelemetry log forwarding is now generally available
With this release, OpenShift Logging support for OpenTelemetry (OTel) is promoted to General Availability (GA). You can now forward logs over OTLP outputs by using OTel semantic conventions as specified in the Red Hat Observability Model. This includes configuring log forwarding to a
LokiStackdeployment using the OTel data model for log storage and retrieving logs by using the log observability UI plugin distributed by the Cluster Observability Operator.ImportantThis release reduces the default set of stream labels for OTLP log forwarding to LokiStack to help improve LokiStack performance. The new default configuration uses only the following labels as stream labels:
-
k8s.namespace.name -
kubernetes.namespace_name -
log_source -
log_type -
openshift.cluster.uid -
openshift.log.source -
openshift.log.type
If you have existing queries that used other labels in label matchers (inside
{}), you must rewrite them to use those labels as filters (after|) instead. You can also configure yourLokiStackto use the earlier set of stream labels.-
- NDJSON support for HTTP output
With this release, you can configure an HTTP output to forward logs as new line delimited JSON (NDJSON) instead of as a JSON array by setting the
formatfield tondjson. This format reduces memory footprint for some receivers.# ... spec: outputs: - http: format: ndjson method: POST url: http://echo-service.test.svc:8080 name: http-echo type: http # ...- Port validation for Kafka and Syslog outputs
With this release, the
ClusterLogForwarderAPI requires port numbers in destination URLs for Kafka and Syslog outputs. URLs without port numbers are rejected at admission time, which provides immediate feedback to administrators. This validation enhances security when evaluatingNetworkPolicyconfigurations for socket-level transports.- HTTP proxy configuration for Loki output
With this release, you can configure a proxy URL when forwarding logs to a Loki output in the
ClusterLogForwardercustom resource by setting theproxyURLfield. This follows the same syntax and semantics as the HTTP output proxy configuration.# ... spec: outputs: - loki: proxyURL: http://proxy.example.com:8080 url: https://loki-endpoint.example.com:3100 name: loki-output type: loki # ...- Ability to disable the LokiStack Gateway Route
With this release, you can disable the Gateway Route created automatically by the Loki Operator by setting the
disableIngressfield totruein theLokiStackcustom resource. This provides more control over external access to yourLokiStackdeployment.# ... spec: tenants: disableIngress: true mode: openshift-logging # ...- Improved leader election resilience for Loki Operator
With this release, the Loki Operator uses recommended leader election parameters to better tolerate API server disruptions. The lease duration, renew deadline, and retry period values are configured according to OpenShift best practices, which helps improve Operator resilience during cluster maintenance or temporary API server unavailability.
- Fine-grained authorization for the openshift-network tenant
With this release, the
LokiStackopenshift-networktenant correctly enforces fine-grained authorization. The gateway selector extractor is configured to extract selectors from queries, which allows Open Policy Agent (OPA) to enforce fine-grained authorization. As a result, network observability data access is properly restricted based on authorization policies.
1.2.2. Fixed issues
The following section lists the issues fixed in this release of OpenShift Logging. It describes the resolved problems and the resulting improvements in stability and functionality.
LokiStackcomponents alert fires when pods are in Pending stateBefore this update, the
LokistackComponentsNotReadyWarningalert did not fire whenLokiStackcomponents were inPendingstate during initial deployment, such as when provisioned with wrong storage class. As a consequence, administrators were not alerted to configuration issues that prevented components from becoming ready. With this update, the alert rule is triggered when aLokiStackis deployed with components that are not ready, even during first-time deployment. As a result, the alert now properly fires when components fail to reach a ready state.NetworkPolicyuses correct port for OpenShift Data Foundation (ODF) NooBaa S3 backend egressBefore this update, the
NetworkPolicygenerated by the Loki Operator used the Service port instead of the Pod port for the egress port configuration. As a consequence, when a Kubernetes service was configured for the object storage endpoint with OpenShift Data Foundation (ODF), ingestion and flush failures occurred with timeout errors. With this update, the Loki Operator fetches the Service andEndpointSlicesand correctly uses the Pod port rather than the Service port in theNetworkPolicy. As a result, theLokiStackcan successfully forward logs to the NooBaa S3 backend.NetworkPolicyuses correct ports for OpenStack Swift backend egressBefore this update, the
NetworkPolicygenerated by the Loki Operator exposed only the OpenStack authentication port for egress. As a consequence, when using OpenStack Swift as a storage backend, ingestion and flush failures occurred with timeout errors, and compactor and ingester pods entered a crash loop. With this update, the Loki Operator exposes either the default SSL port 443 for services or, for OpenShift installations, Red Hat’s OpenStack default SSL port 13808. As a result, theLokiStackcan successfully forward logs to the OpenStack Swift storage backend.NetworkPolicyuses correct ports for cluster-wide proxy egressBefore this update, the
NetworkPolicygenerated by the Loki Operator exposed the wrong port whenNetworkPoliciesand cluster-wide proxy were enabled. As a consequence, egress to storage backends timed out with proxy connection errors. With this update, the Loki Operator exposes the proxy port to allow communication between the ingester and object storage through the proxy. As a result, theLokiStackcan successfully forward logs through the cluster-wide proxy.- Deprecated
replicationFactorfield is handled correctly Before this update, the handling of the deprecated
replicationFactorfield was in the wrong part of the code. As a consequence, the field was ignored by the Loki Operator and not applied toreplication.factorin the generated Loki configuration. With this update, the handling is moved to the correct location where it is visible by the Operator. As a result, the deprecatedreplicationFactorfield is correctly processed and applied.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}