The logging subsystem consists of these logical components:

  • Collector - Reads container log data from each node and forwards log data to configured outputs.

  • Store - Stores log data for analysis; the default output for the forwarder.

  • Visualization - Graphical interface for searching, querying, and viewing stored logs.

These components are managed by Operators and Custom Resource (CR) YAML files.

The logging subsystem for Red Hat OpenShift collects container logs and node logs. These are categorized into types:

  • application - Container logs generated by non-infrastructure containers.

  • infrastructure - Container logs from namespaces kube-* and openshift-\*, and node logs from journald.

  • audit - Logs from auditd, kube-apiserver, openshift-apiserver, and ovn if enabled.

The logging collector is a daemonset that deploys pods to each OKD node. System and infrastructure logs are generated by journald log messages from the operating system, the container runtime, and OKD.

Container logs are generated by containers running in pods running on the cluster. Each container generates a separate log stream. The collector collects the logs from these sources and forwards them internally or externally as configured in the ClusterLogForwarder custom resource.