This worked fine for Origin 3.7, but in 3.9 the log is send in json format, and therefore the actual fluentd format cannot parse it. I have enabled legacy format in master config, but logs are still json. Does anyone know how "input-auditlog.conf" should look like for parsing the new json type log ? Thank you !
On Thu, Jun 28, 2018 at 11:54 AM, leo David <leo.da...@syncrasy.io> wrote: > Thank you very much Clayton ! > I did it following the https://github.com/rbo/openshift-examples/tree/ > master/efk-auditlog procedure, and it works just beautiful. > Thank you again, have a nice day ! > > On Thu, Jun 28, 2018 at 2:12 AM, Clayton Coleman <ccole...@redhat.com> > wrote: > >> If you have api audit logging on (see docs for master-config) you would >> see who edited the config map and what time. >> >> On Jun 27, 2018, at 1:59 PM, leo David <leo.da...@syncrasy.io> wrote: >> >> Hello everyone, >> I'm encountering this situation on OS Origin 3.9, in which someone whith >> full acces in a particular namespace modified a ConfigMap and broke a >> service. >> Is there a way to trace who / when edited a resource in OpenShift - as >> security concerns ? >> Thank you very much ! >> >> -- >> * Leo David* >> * DevOps* >> *Syncrasy LTD* >> www.syncrasy.io >> >> _______________________________________________ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> > > > -- > * Leo David* > * DevOps* > *Syncrasy LTD* > www.syncrasy.io > -- * Leo David* * DevOps* *Syncrasy LTD* www.syncrasy.io
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users