openshift-docs/modules/gathering-data-audit-logs.adoc

// Module included in the following assemblies:
//
// * virt/support/virt-collecting-virt-data.adoc
// * support/gathering-cluster-data.adoc

ifeval::["{context}" == "gathering-cluster-data"]
:support:
endif::[]
ifeval::["{context}" == "audit-log-view"]
:viewing:
endif::[]

:_mod-docs-content-type: PROCEDURE
[id="gathering-data-audit-logs_{context}"]
= Gathering audit logs

ifdef::support[]
You can gather audit logs, which are a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system. You can gather audit logs for:

* etcd server
* Kubernetes API server
* OpenShift OAuth API server
* OpenShift API server

endif::support[]
ifdef::viewing[]
You can use the must-gather tool to collect the audit logs for debugging your cluster, which you can review or send to Red Hat Support.
endif::viewing[]

.Procedure

. Run the `oc adm must-gather` command with `-- /usr/bin/gather_audit_logs`:
+
[source,terminal]
----
$ oc adm must-gather -- /usr/bin/gather_audit_logs
----

ifndef::openshift-origin[]
. Create a compressed file from the `must-gather` directory that was just created in your working directory. For example, on a computer that uses a Linux operating system, run the following command:
+
[source,terminal]
----
$ tar cvaf must-gather.tar.gz must-gather.local.472290403699006248 <1>
----
<1> Replace `must-gather-local.472290403699006248` with the actual directory name.

. Attach the compressed file to your support case on the link:https://access.redhat.com/support/cases/#/case/list[the *Customer Support* page] of the Red Hat Customer Portal.
endif::openshift-origin[]

ifeval::["{context}" == "gathering-cluster-data"]
:!support:
endif::[]
ifeval::["{context}" == "audit-log-view"]
:!viewing:
endif::[]