Red Hat OpenShift¶
About¶
Red Hat® OpenShift® is a trusted, comprehensive, and consistent platform to develop, modernize, and deploy applications at scale, including today’s AI-enabled apps. Innovate faster with a complete set of services for bringing apps to market on your choice of infrastructure.
Product Details¶
Vendor URL: Red Hat
Product Type: Container Orchestration Platform
Product Tier: Tier III
Integration Method: Syslog
Log Guide: Red Hat Audit Logs
Parser Details¶
Log Format: SYSLOG
Expected Normalization Rate: 100%
Data Label: REDHAT_OPENSHIFT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| annotations.authorization.k8s.io/decision | security_result.action_details |
| annotations.authorization.k8s.io/reason | security_result.description |
| application_protocol | network.application_protocol |
| container_id | target.asset.asset_id |
| hostname | principal.hostname |
| kubernetes.container_image | additional.fields |
| kubernetes.container_name | target.resource.name |
| kubernetes.master_url | observer.url |
| kubernetes.namespace_id | target.asset.attribute.labels |
| kubernetes.namespace_labels.kubernetes_io_metadata_name | additional.fields |
| kubernetes.namespace_labels.openshift_io_run-level | additional.fields |
| kubernetes.namespace_labels.pod-security_kubernetes_io_audit | additional.fields |
| kubernetes.namespace_labels.pod-security_kubernetes_io_enforce | additional.fields |
| kubernetes.namespace_labels.pod-security_kubernetes_io_warn | additional.fields |
| kubernetes.namespace_name | target.namespace |
| kubernetes.pod_id | principal.resource.id |
| kubernetes.pod_ip | principal.ip |
| kubernetes.pod_name | principal.resource.name |
| level | security_result.severity |
| method | network.http.method |
| msg | metadata.description |
| msg.caller | observer.asset.attribute.labels |
| msg.path | target.file.full_path |
| openshift.cluster_id | additional.fields |
| openshift.sequence | additional.fields |
| pipeline_metadata.collector.inputname | observer.resource.name |
| pipeline_metadata.collector.ipaddr4 | observer.ip |
| requestURI | target.url |
| resp | network.http.response_code |
| response_code | network.http.response_code |
| responseStatus.code | network.http.response_code |
| sourceIPs | principal.ip |
| src_port | principal.port |
| srcIP | principal.ip |
| stack_trace | additional.fields |
| stage | security_result.summary |
| target_host | target.hostname |
| target_ip | target.ip |
| target_port | target.port |
| thread_name | additional.fields |
| trace.parent_span_id | additional.fields |
| trace.span_id | additional.fields |
| trace.trace_id | additional.fields |
| user.groups | principal.user.group_identifiers |
| user.username | principal.user.user_display_name |
| userAgent | network.http.user_agent |
| verb | network.http.method |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Generic | GENERIC_EVENT |
| Network Events | NETWORK_CONNECTION |
| Updates | STATUS_UPDATE |
Log Sample¶
<15>1 2024-08-20T14:31:03.521344+00:00 example.int.org.com fluentd - - - {"@timestamp":"2024-08-20T14:30:49.209245317+00:00","message":"I0820 14:30:49.207479 1967 proxier.go:861 \"Syncing iptables rules\"","docker":{"container_id":"1234abcd1234abcd1234abcd123f136chuegruy3g4732ygeugyue1g3ey3eg"},"kubernetes":{"container_name":"sdn","namespace_name":"openshift-sdn","pod_name":"abc-12345","container_image":"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:123abc123abc456789abcdefghijkmnopqrs123456","container_image_id":"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:123abc123abc456789abcdefghijkmnopqrs123456","pod_id":"1abcds123-c123-1234-abcdefghi","pod_ip":"10.32.53.201","host":"example.int.org.com","labels":{"app":"sdn","component":"network","controller-revision-hash":"746cbcf475","openshift_io_component":"network","pod-template-generation":"16","type":"infra"},"master_url":"https://kubernetes.default.svc","namespace_id":"25a1d05c-4643-4ff1-9bfd-a02b79473698","namespace_labels":{"kubernetes_io_metadata_name":"openshift-sdn","name":"openshift-sdn","olm_operatorgroup_uid_613e480f-3986-41df-909d-29466176ebed":"","openshift_io_cluster-monitoring":"true","openshift_io_run-level":"0","pod-security_kubernetes_io_audit":"privileged","pod-security_kubernetes_io_enforce":"privileged","pod-security_kubernetes_io_warn":"privileged"},"flat_labels":["app=sdn","component=network","controller-revision-hash=746cbcf475","openshift_io_component=network","pod-template-generation=16","type=infra"]},"level":"info","hostname":"example.int.org.com","pipeline_metadata":{"collector":{"ipaddr4":"10.32.53.201","inputname":"fluent-plugin-systemd","name":"fluentd","received_at":"2024-08-20T14:30:49.210204+00:00","version":"1.16.2 1.6.0"}},"openshift":{"sequence":90623942,"cluster_id":"484f451b-0ce5-4878-b3e9-8930375518dd"},"viaq_msg_id":"NzVlMzRmYzctMGJmZC00MGJmLTlhMzUtNDRjOTUyNzQzOTcw","log_type":"infrastructure"}
Sample Parsing¶
additional.fields["cluster_id"] = "484f451b-0ce5-4878-b3e9-8930375518dd"
additional.fields["container_image"] = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:123abc123abc456789abcdefghijkmnopqrs123456"
additional.fields["kubernetes_io_metadata_name"] = "openshift-sdn"
additional.fields["openshift_io_run-level"] = "0"
additional.fields["pod-security_kubernetes_io_audit"] = "privileged"
additional.fields["pod-security_kubernetes_io_enforce"] = "privileged"
additional.fields["pod-security_kubernetes_io_warn"] = "privileged"
additional.fields["sequence"] = "90623942"
metadata.description = "I0820 14:30:49.207479 1967 proxier.go:861 \"Syncing iptables rules\""
metadata.event_type = "STATUS_UPDATE"
metadata.log_type = "REDHAT_OPENSHIFT"
metadata.product_event_type = "infrastructure"
metadata.product_name = "RedHat"
metadata.vendor_name = "RedHat OpenShift"
observer.ip = "10.32.53.201"
observer.resource.name = "fluent-plugin-systemd"
observer.url = "https://kubernetes.default.svc"
principal.hostname = "example.int.org.com"
principal.ip = "10.32.53.201"
principal.resource.id = "1abcds123-c123-1234-abcdefghi"
principal.resource.name = "abc-12345"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "info"
target.asset.asset_id = "containerID: 1234abcd1234abcd1234abcd123f136chuegruy3g4732ygeugyue1g3ey3eg"
target.asset.attribute.labels.key = "namespace_id"
target.asset.attribute.labels.value = "25a1d05c-4643-4ff1-9bfd-a02b79473698"
target.namespace = "openshift-sdn"
target.resource.name = "sdn"