openshift-docs/modules/log6x-collection-setup.adoc

// Module included in the following assemblies:
//
// observability/logging/logging-6.0/log6x-clf.adoc

:_mod-docs-content-type: PROCEDURE
[id="log6x-collection-setup_{context}"]
= Setting up log collection

This release of Cluster Logging requires administrators to explicitly grant log collection permissions to the service account associated with *ClusterLogForwarder*. This was not required in previous releases for the legacy logging scenario consisting of a *ClusterLogging* and, optionally, a *ClusterLogForwarder.logging.openshift.io* resource.

The {clo} provides `collect-audit-logs`, `collect-application-logs`, and `collect-infrastructure-logs` cluster roles, which enable the collector to collect audit logs, application logs, and infrastructure logs respectively.

Setup log collection by binding the required cluster roles to your service account.

== Legacy service accounts
To use the existing legacy service account `logcollector`, create the following *ClusterRoleBinding*:

[source,terminal]
----
$ oc adm policy add-cluster-role-to-user collect-application-logs system:serviceaccount:openshift-logging:logcollector
----

[source,terminal]
----
$ oc adm policy add-cluster-role-to-user collect-infrastructure-logs system:serviceaccount:openshift-logging:logcollector
----

Additionally, create the following *ClusterRoleBinding* if collecting audit logs:

[source,terminal]
----
$ oc adm policy add-cluster-role-to-user collect-audit-logs system:serviceaccount:openshift-logging:logcollector
----


== Creating service accounts
.Prerequisites

* The {clo} is installed in the `openshift-logging` namespace.
* You have administrator permissions.

.Procedure

. Create a service account for the collector. If you want to write logs to storage that requires a token for authentication, you must include a token in the service account.

. Bind the appropriate cluster roles to the service account:
+
.Example binding command
[source,terminal]
----
$ oc adm policy add-cluster-role-to-user <cluster_role_name> system:serviceaccount:<namespace_name>:<service_account_name>
----

=== Cluster Role Binding for your Service Account
The role_binding.yaml file binds the ClusterLogging operator's ClusterRole to a specific ServiceAccount, allowing it to manage Kubernetes resources cluster-wide.

[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: manager-rolebinding
roleRef:                                           <1>
  apiGroup: rbac.authorization.k8s.io              <2>
  kind: ClusterRole                                <3>
  name: cluster-logging-operator                   <4>
subjects:                                          <5>
  - kind: ServiceAccount                           <6>
    name: cluster-logging-operator                 <7>
    namespace: openshift-logging                   <8>
----
<1> roleRef: References the ClusterRole to which the binding applies.
<2> apiGroup: Indicates the RBAC API group, specifying that the ClusterRole is part of Kubernetes' RBAC system.
<3> kind: Specifies that the referenced role is a ClusterRole, which applies cluster-wide.
<4> name: The name of the ClusterRole being bound to the ServiceAccount, here cluster-logging-operator.
<5> subjects: Defines the entities (users or service accounts) that are being granted the permissions from the ClusterRole.
<6> kind: Specifies that the subject is a ServiceAccount.
<7> Name: The name of the ServiceAccount being granted the permissions.
<8> namespace: Indicates the namespace where the ServiceAccount is located.

=== Writing application logs
The write-application-logs-clusterrole.yaml file defines a ClusterRole that grants permissions to write application logs to the Loki logging application.

[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-logging-write-application-logs
rules:                                              <1>
  - apiGroups:                                      <2>
      - loki.grafana.com                            <3>
    resources:                                      <4>
      - application                                 <5>
    resourceNames:                                  <6>
      - logs                                        <7>
    verbs:                                          <8>
      - create                                      <9>
----
<1> rules: Specifies the permissions granted by this ClusterRole.
<2> apiGroups: Refers to the API group loki.grafana.com, which relates to the Loki logging system.
<3> loki.grafana.com: The API group for managing Loki-related resources.
<4> resources: The resource type that the ClusterRole grants permission to interact with.
<5> application: Refers to the application resources within the Loki logging system.
<6> resourceNames: Specifies the names of resources that this role can manage.
<7> logs: Refers to the log resources that can be created.
<8> verbs: The actions allowed on the resources.
<9> create: Grants permission to create new logs in the Loki system.


=== Writing audit logs
The write-audit-logs-clusterrole.yaml file defines a ClusterRole that grants permissions to create audit logs in the Loki logging system.
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-logging-write-audit-logs
rules:                                              <1>
  - apiGroups:                                      <2>
      - loki.grafana.com                            <3>
    resources:                                      <4>
      - audit                                       <5>
    resourceNames:                                  <6>
      - logs                                        <7>
    verbs:                                          <8>
      - create                                      <9>
----
<1> rules: Defines the permissions granted by this ClusterRole.
<2> apiGroups: Specifies the API group loki.grafana.com.
<3> loki.grafana.com: The API group responsible for Loki logging resources.
<4> resources: Refers to the resource type this role manages, in this case, audit.
<5> audit: Specifies that the role manages audit logs within Loki.
<6> resourceNames: Defines the specific resources that the role can access.
<7> logs: Refers to the logs that can be managed under this role.
<8> verbs: The actions allowed on the resources.
<9> create: Grants permission to create new audit logs.

=== Writing infrastructure logs
The write-infrastructure-logs-clusterrole.yaml file defines a ClusterRole that grants permission to create infrastructure logs in the Loki logging system.

.Sample YAML
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-logging-write-infrastructure-logs
rules:                                              <1>
  - apiGroups:                                      <2>
      - loki.grafana.com                            <3>
    resources:                                      <4>
      - infrastructure                              <5>
    resourceNames:                                  <6>
      - logs                                        <7>
    verbs:                                          <8>
      - create                                      <9>
----
<1> rules: Specifies the permissions this ClusterRole grants.
<2> apiGroups: Specifies the API group for Loki-related resources.
<3> loki.grafana.com: The API group managing the Loki logging system.
<4> resources: Defines the resource type that this role can interact with.
<5> infrastructure: Refers to infrastructure-related resources that this role manages.
<6> resourceNames: Specifies the names of resources this role can manage.
<7> logs: Refers to the log resources related to infrastructure.
<8> verbs: The actions permitted by this role.
<9> create: Grants permission to create infrastructure logs in the Loki system.

=== ClusterLogForwarder editor role
The clusterlogforwarder-editor-role.yaml file defines a ClusterRole that allows users to manage ClusterLogForwarders in OpenShift.


[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: clusterlogforwarder-editor-role
rules:                                              <1>
  - apiGroups:                                      <2>
      - observability.openshift.io                  <3>
    resources:                                      <4>
      - clusterlogforwarders                        <5>
    verbs:                                          <6>
      - create                                      <7>
      - delete                                      <8>
      - get                                         <9>
      - list                                        <10>
      - patch                                       <11>
      - update                                      <12>
      - watch                                       <13>
----
<1> rules: Specifies the permissions this ClusterRole grants.
<2> apiGroups: Refers to the OpenShift-specific API group
<3> obervability.openshift.io: The API group for managing observability resources, like logging.
<4> resources: Specifies the resources this role can manage.
<5> clusterlogforwarders: Refers to the log forwarding resources in OpenShift.
<6> verbs: Specifies the actions allowed on the ClusterLogForwarders.
<7> create: Grants permission to create new ClusterLogForwarders.
<8> delete: Grants permission to delete existing ClusterLogForwarders.
<9> get: Grants permission to retrieve information about specific ClusterLogForwarders.
<10> list: Allows listing all ClusterLogForwarders.
<11> patch: Grants permission to partially modify ClusterLogForwarders.
<12> update: Grants permission to update existing ClusterLogForwarders.
<13> watch: Grants permission to monitor changes to ClusterLogForwarders.