Cloud Experts Documentation

Using Cluster Logging Forwarder in ARO with Azure Monitor

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

In Azure Red Hat OpenShift (ARO) you can fairly easily set up cluster logging to an in-cluster Elasticsearch using the OpenShift Elasticsearch Operator and the Cluster Logging Operator, but what if you want to use the Azure native Log Analytics service?

There’s a number of ways to do this, for example installing agents onto the VMs (in this case, it would be a DaemonSet with hostvar mounts) but that isn’t ideal in a managed system like ARO.

Fluentd is the log collection and forwarding tool used by OpenShift, however it does not have native support for Azure Log Analytics. However Fluent-bit which supports many of the same protocols as Fluentd does have native supportexternal link (opens in new tab) for Azure Log Analytics.

Armed with this knowledge we can create a fluent-bit service on the cluster to accept logs from fluentd and forward them to Azure Log Analytics.

Prepare your ARO cluster

  1. Deploy an ARO cluster

  2. Set some environment variables

    export NAMESPACE=aro-clf-am
    export AZR_RESOURCE_LOCATION=eastus
    export AZR_RESOURCE_GROUP=openshift
    # this value must be unique

Set up ARO Monitor workspace

  1. Add the Azure CLI log extensions

    az extension add --name log-analytics
  2. Create resource group

    If you plan to reuse the same group as your cluster skip this step

  3. Create workspace

    az monitor log-analytics workspace create \
  4. Create a secret for your Azure workspace

    WORKSPACE_ID=$(az monitor log-analytics workspace show \
     --query customerId -o tsv)
    SHARED_KEY=$(az monitor log-analytics workspace get-shared-keys \
     --query primarySharedKey -o tsv)

Configure OpenShift

  1. Create a Project to run the log forwarding in

    oc new-project $NAMESPACE
  2. Create namespaces for logging operators

    kubectl create ns openshift-logging
    kubectl create ns openshift-operators-redhat
  3. Add the MOBB chart repository to Helm

    helm repo add mobb
  4. Update your Helm repositories

    helm repo update
  5. Deploy the OpenShift Elasticsearch Operator and the Red Hat OpenShift Logging Operator

    > Note: You can skip this if you already have them installed, or install them via the OpenShift Console.

    helm upgrade -n $NAMESPACE clf-operators \
     mobb/operatorhub --version 0.1.1 --install \
  6. Configure cluster logging forwarder

    helm upgrade -n $NAMESPACE clf \
     mobb/aro-clf-am --install \
     --set "azure.workspaceId=$WORKSPACE_ID" --set "azure.sharedKey=$SHARED_KEY"

Check for logs in Azure

Wait 5 to 15 minutes

  1. Query our new Workspace

    az monitor log-analytics query -w $WORKSPACE_ID  \
       --analytics-query "openshift_CL | take 10" --output tsv


  1. Log into Azure Azure Log Insightsexternal link (opens in new tab) or you can login into portal and search for Log Analytics workspace

    screenshot of Log analytics workspace
  2. Select your workspace

    screenshot of scope selection
  3. Run the Query

       | take 10
    screenshot of query results

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter



Try, buy & sell


About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.