From 1963c509207457e93a6eb6cf99c1877327603a54 Mon Sep 17 00:00:00 2001 From: dfitzmau Date: Wed, 25 Mar 2026 16:11:35 +0000 Subject: [PATCH] OSDOCS-18839: Update commands in nw-configure-ingress-access-logging with patch commands --- .../nw-configure-ingress-access-logging.adoc | 149 ++++-------------- 1 file changed, 31 insertions(+), 118 deletions(-) diff --git a/modules/nw-configure-ingress-access-logging.adoc b/modules/nw-configure-ingress-access-logging.adoc index c6392d7626b5..7cd4bb45da60 100644 --- a/modules/nw-configure-ingress-access-logging.adoc +++ b/modules/nw-configure-ingress-access-logging.adoc @@ -18,26 +18,21 @@ Syslog is needed for high-traffic clusters where access logs could exceed the Op .Procedure -Configure Ingress access logging to a sidecar. - -* To configure Ingress access logging, you must specify a destination using `spec.logging.access.destination`. To specify logging to a sidecar container, you must specify `Container` `spec.logging.access.destination.type`. The following example is an Ingress Controller definition that logs to a `Container` destination: +* For Ingress access logging to a sidecar, complete the following commands: ++ +** To enable Ingress access logging to a sidecar, enter the following command: + -[source,yaml] +[source,terminal] ---- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator -spec: - replicas: 2 - logging: - access: - destination: - type: Container +$ oc patch ingresscontroller default -n openshift-ingress-operator --type=merge \\ +-p '{"spec":{"logging":{"access":{"destination":{"type":"Container"}}}}}' ---- - -* When you configure the Ingress Controller to log to a sidecar, the operator creates a container named `logs` inside the Ingress Controller Pod: ++ +If you need to disable Ingress access logging, do not specify any values for `spec.logging` or `spec.logging.access`. ++ +After you configure the Ingress Controller to log to a sidecar, the Operator creates a container named `logs` inside the Ingress Controller Pod. ++ +** To stream the access logs and system events from the {product-title} Ingress Controller, enter the following command: + [source,terminal] ---- @@ -50,120 +45,38 @@ $ oc -n openshift-ingress logs deployment.apps/router-default -c logs 2020-05-11T19:11:50.135710+00:00 router-default-57dfc6cd95-bpmk6 router-default-57dfc6cd95-bpmk6 haproxy[108]: 174.19.21.82:39654 [11/May/2020:19:11:50.133] public be_http:hello-openshift:hello-openshift/pod:hello-openshift:hello-openshift:10.128.2.12:8080 0/0/1/0/1 200 142 - - --NI 1/1/0/0/0 0/0 "GET / HTTP/1.1" ---- -Configure Ingress access logging to a Syslog endpoint. - -* To configure Ingress access logging, you must specify a destination using `spec.logging.access.destination`. To specify logging to a Syslog endpoint destination, you must specify `Syslog` for `spec.logging.access.destination.type`. If the destination type is `Syslog`, you must also specify a destination endpoint using `spec.logging.access.destination.syslog.address` and you can specify a facility using `spec.logging.access.destination.syslog.facility`. The following example is an Ingress Controller definition that logs to a `Syslog` destination: +* To enable logging to an external Syslog server, enter the following command. Use this option if you need to forward logs to a centralized logging solution such as Splunk, Rsyslog, or Logstash. + -[source,yaml] +[source,terminal] ---- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator -spec: - replicas: 2 - logging: - access: - destination: - type: Syslog - syslog: - address: 1.2.3.4 - port: 10514 +$ oc patch ingresscontroller default -n openshift-ingress-operator --type=merge \\ +-p '{"spec":{"logging":{"access":{"destination":{"type":"Syslog","syslog":{"address":"1.2.3.4","port":514,"maxLenght":1024}}}}}}' ---- + -[NOTE] -==== -The `syslog` destination port must be UDP. - -The `syslog` destination address must be an IP address. It does not support DNS hostname. -==== - -Configure Ingress access logging with a specific log format. - -* You can specify `spec.logging.access.httpLogFormat` to customize the log format. The following example is an Ingress Controller definition that logs to a `syslog` endpoint with IP address 1.2.3.4 and port 10514: -+ -[source,yaml] ----- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator -spec: - replicas: 2 - logging: - access: - destination: - type: Syslog - syslog: - address: 1.2.3.4 - port: 10514 - httpLogFormat: '%ci:%cp [%t] %ft %b/%s %B %bq %HM %HU %HV' ----- - -Disable Ingress access logging. +** Replace `1.2.3.4` with the destination IP address of your logging server. Syslog does not support a DNS hostname value. +** Replace `514` with the UDP destination port of your logging server. +** Replace `1024` with the maximum length of a log message in bytes that you want to set for log messages. -* To disable Ingress access logging, leave `spec.logging` or `spec.logging.access` empty: +* To customize the log format, append a HAProxy-compatible log string to the following command. The string determines what information gets captured in the log format, such as a client IP address. + -[source,yaml] +[source,terminal] ---- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator -spec: - replicas: 2 - logging: - access: null +$ oc patch ingresscontroller default -n openshift-ingress-operator --type=merge \\ +-p '{"spec":{"logging":{"access":{"httpLogFormat":"%ci:%cp [%t] %ft %b/%s %B %bq %HM %HU %HV"}}}}' ---- -Allow the Ingress Controller to modify the HAProxy log length when using a sidecar. - -* Use `spec.logging.access.destination.syslog.maxLength` if you are using `spec.logging.access.destination.type: Syslog`. - +* To capture custom HTTP headers or response headers in your logs, enter the following command. Consider this option if you need to track an `X-Forwarded-For` header or custom application IDs in the Ingress and application logs. + -[source,yaml] +[source,terminal] ---- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator -spec: - replicas: 2 - logging: - access: - destination: - type: Syslog - syslog: - address: 1.2.3.4 - maxLength: 4096 - port: 10514 +$ oc patch ingresscontroller default -n openshift-ingress-operator --type=merge \\ +-p '{"spec":{"logging":{"access":{"httpCaptureHeaders":{"request":[{"name":"User-Agent"}],"response":[{"name":"Content-Type"}]}}}}}' ---- -* Use `spec.logging.access.destination.container.maxLength` if you are using `spec.logging.access.destination.type: Container`. +* To configure a log empty requests policy, enter the following command and set the `logEmptyRequestsPolicy` parameter to `Log`. By default, HAProxy might not log empty requests or health checks, so you must manually enable this feature. To disable the feature, set the `logEmptyRequestsPolicy` parameter to `Ignore`. + -[source,yaml] +[source,terminal] ---- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator -spec: - replicas: 2 - logging: - access: - destination: - container: - maxLength: 8192 - type: Container - httpCaptureHeaders: - request: - - maxLength: 128 - name: X-Forwarded-For +$ oc patch ingresscontroller default -n openshift-ingress-operator --type=merge \\ +-p '{"spec":{"logging":{"access":{"logEmptyRequestsPolicy":"Log"}}}}' ---- - -* To view the original client source IP address by using the `X-Forwarded-For` header in the `Ingress` access logs, see the "Capturing Original Client IP from the X-Forwarded-For Header in Ingress and Application Logs" Red{nbsp}Hat Knowledgebase solution.