Using Cluster Logging Forwarder in ARO with Azure Monitor (>=4.13)

NOTE: Starting from version 5.9, OpenShift Logging supports native forwarding to Azure Monitor and Azure Log Analytics, which is available on clusters running OpenShift 4.13 or higher. Please note that apiVersion was changed from logging.openshift.io/v1 to observability.openshift.io/v1 on OpenShift Logging 6.0, which is the version used on this guide. For clusters running OpenShift 4.12 or earlier, see the legacy setup document here for help with configuration.

If you’re running Azure Red Hat OpenShift (ARO), you may want to be able to view and query the logs the platform and your workloads generate in Azure Monitor. With the release of the Cluster Logging Operator version 5.9, this can be done in a single step with some YAML configuration.

Prepare your ARO cluster

1. Deploy an ARO cluster

2. Follow the OpenShift documentation for installing the OpenShift Logging Operator for your version of OpenShift. These instructions cover the various methods (CLI, Web Console) of installation.

3. Set some environment variables

Set up ARO Monitor workspace

1. Add the Azure CLI log extensions

2. Create resource group

   If you plan to reuse the same group as your cluster skip this step

3. Create workspace

4. Create a secret for your Azure workspace

Configure OpenShift

1. Create a Secret to hold the shared key:

2. Give permissions for the serviceaccount used in the openshift-logging namespace:

3. Create a ClusterLogForwarder resource. This will contain the configuration to forward to Azure Monitor:

See the logging pipeline documentation for the specifics of how to add audit logs to this configuration.

1. Check the ClusterLogForwarder instance status:

Check for logs in Azure

Wait 5 to 15 minutes

1. Query our new Workspace

or

1. Log into Azure Azure Log Insights or you can login into portal and search for Log Analytics workspace

   

2. Select your workspace

   

3. Run the Query