openshift-docs/logging/cluster-logging.adoc

:context: cluster-logging
[id="cluster-logging"]
= Understanding cluster logging
include::modules/common-attributes.adoc[]

toc::[]



ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
As a cluster administrator, you can deploy cluster logging to
aggregate all the logs from your {product-title} cluster, such as node system audit logs, application container logs, and infrastructure logs.
Cluster logging aggregates these logs from throughout your cluster and stores them in a default log store. You can xref:../logging/cluster-logging-visualizer.adoc#cluster-logging-visualizer[use the Kibana web console to visualize log data].

Cluster logging aggregates the following types of logs:

* `application` - Container logs generated by user applications running in the cluster, except infrastructure container applications.
* `infrastructure` - Logs generated by infrastructure components running in the cluster and {product-title} nodes, such as journal logs. Infrastructure components are pods that run in the `openshift*`, `kube*`, or `default` projects.
* `audit` - Logs generated by the node audit system (auditd), which are stored in the  */var/log/audit/audit.log* file, and the audit logs from the Kubernetes apiserver and the OpenShift apiserver. 

[NOTE]
====
Because the internal {product-title} Elasticsearch log store does not provide secure storage for audit logs, audit logs are not stored in the internal Elasticsearch instance by default. If you want to send the audit logs to the internal log store, for example to view the audit logs in Kibana, you must use the Log Forwarding API as described in xref:../logging/config/cluster-logging-log-store.adoc#cluster-logging-elasticsearch-audit_cluster-logging-store[Forward audit logs to the log store].
====
endif::[]

ifdef::openshift-dedicated[]
As an administrator, you can deploy cluster logging to
aggregate logs for a range of {product-title} services.

Cluster logging runs on worker nodes. As an
 administrator, you can monitor resource consumption in the
console and via Prometheus and Grafana. Due to the high work load required for
logging, more worker nodes may be required for your environment.

Logs in {product-title} are retained for seven days before rotation. Logging
storage is capped at 600GiB. This is independent of a cluster's allocated base
storage.
endif::[]


// The following include statements pull in the module files that comprise
// the assembly. Include any combination of concept, procedure, or reference
// modules required to cover the user story. You can also include other
// assemblies.

include::modules/cluster-logging-about.adoc[leveloffset=+1]

For information, see xref:../logging/cluster-logging-deploying.adoc#cluster-logging-deploying[Configuring the log collector].

include::modules/cluster-logging-about-components.adoc[leveloffset=+2]

include::modules/cluster-logging-about-collector.adoc[leveloffset=+2]

For information, see xref:../logging/config/cluster-logging-collector.adoc#cluster-logging-collector[Configuring the log collector].

include::modules/cluster-logging-about-logstore.adoc[leveloffset=+2]

For information, see xref:../logging/config/cluster-logging-log-store.adoc#cluster-logging-store[Configuring the log store].

include::modules/cluster-logging-about-visualizer.adoc[leveloffset=+2]

For information, see xref:../logging/config/cluster-logging-visualizer.adoc#cluster-logging-visualizer[Configuring the log visualizer].

include::modules/cluster-logging-eventrouter-about.adoc[leveloffset=+2]

For information, see xref:../logging/cluster-logging-eventrouter.adoc#cluster-logging-eventrouter[Collecting and storing Kubernetes events].

include::modules/cluster-logging-forwarding-about.adoc[leveloffset=+2]

For information, see xref:../logging/cluster-logging-external.adoc#cluster-logging-external[Forwarding logs to third party systems].