Red Hat Summit5.3. Configuring audit log values
You can configure audit log settings by using the MicroShift service configuration file.
Procedure
-
Make a copy of the provided
config.yaml.defaultfile in the/etc/microshift/directory, renaming itconfig.yaml. Keep the new MicroShiftconfig.yamlyou create in the/etc/microshift/directory. The newconfig.yamlis read whenever the MicroShift service starts. After you create it, theconfig.yamlfile takes precedence over built-in settings. Replace the default values in the
auditLogsection of the YAML with your desired valid values.Example default
auditLogconfigurationapiServer: # .... auditLog: maxFileAge: 71 maxFileSize: 2002 maxFiles: 13 profile: Default4 # ....- 1
- Specifies the maximum time in days that log files are kept. Files older than this limit are deleted. In this example, after a log file is more than 7 days old, it is deleted. The files are deleted regardless of whether or not the live log has reached the maximum file size specified in the
maxFileSizefield. File age is determined by the timestamp written in the name of the rotated log file, for example,audit-2024-05-16T17-03-59.994.log. When the value is0, the limit is disabled. - 2
- The maximum audit log file size in megabytes. In this example, the file is rotated as soon as the live log reaches the 200 MB limit. When the value is set to
0, the limit is disabled. - 3
- The maximum number of rotated audit log files retained. After the limit is reached, the log files are deleted in order from oldest to newest. In this example, the value
1results in only 1 file of sizemaxFileSizebeing retained in addition to the current active log. When the value is set to0, the limit is disabled. - 4
- Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. If you do not specify this field, the
Defaultprofile is used.
Optional: To specify a new directory for logs, you can stop MicroShift, and then move the
/var/log/kube-apiserverdirectory to your desired location:Stop MicroShift by running the following command:
$ sudo systemctl stop microshiftMove the
/var/log/kube-apiserverdirectory to your desired location by running the following command:$ sudo mv /var/log/kube-apiserver <~/kube-apiserver>1 - 1
- Replace <~/kube-apiserver> with the path to the directory that you want to use.
If you specified a new directory for logs, create a symlink to your custom directory at
/var/log/kube-apiserverby running the following command:$ sudo ln -s <~/kube-apiserver> /var/log/kube-apiserver1 - 1
- Replace <~/kube-apiserver> with the path to the directory that you want to use. This enables the collection of logs in sos reports.
If you are configuring audit log policies on a running instance, restart MicroShift by entering the following command:
$ sudo systemctl restart microsohift
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}