openshift-docs/modules/logging-architecture-overview.adoc

// Module included in the following assemblies:
//
// * observability/logging/cluster-logging.adoc

:_mod-docs-content-type: CONCEPT
[id="logging-architecture-overview_{context}"]
= Logging architecture

The major components of the {logging} are:

Collector:: The collector is a daemonset that deploys pods to each {product-title} node. It collects log data from each node, transforms the data, and forwards it to configured outputs. You can use the Vector collector or the legacy Fluentd collector.
+
--
include::snippets/logging-fluentd-dep-snip.adoc[]
--

Log store:: The log store stores log data for analysis and is the default output for the log forwarder. You can use the default LokiStack log store, the legacy Elasticsearch log store, or forward logs to additional external log stores.
+
--
include::snippets/logging-elastic-dep-snip.adoc[]
--

Visualization:: You can use a UI component to view a visual representation of your log data. The UI provides a graphical interface to search, query, and view stored logs. The {product-title} web console UI is provided by enabling the {product-title} console plugin.
+
--
include::snippets/logging-kibana-dep-snip.adoc[]
--

{logging-uc} collects container logs and node logs. These are categorized into types:

Application logs:: Container logs generated by user applications running in the cluster, except infrastructure container applications.

Infrastructure logs:: Container logs generated by infrastructure namespaces: `openshift*`, `kube*`, or `default`, as well as journald messages from nodes.

Audit logs:: Logs generated by auditd, the node audit system, which are stored in the */var/log/audit/audit.log* file, and logs from the `auditd`, `kube-apiserver`, `openshift-apiserver` services, as well as the `ovn` project if enabled.