Configuring the Cluster Log Forwarder for CloudWatch Logs and STS
This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.
This guide shows how to deploy the Cluster Log Forwarder operator and configure it to use STS authentication to forward logs to CloudWatch.
Prerequisites
- A ROSA cluster (configured with STS)
- The
jqcli command - The
awscli command
Environment Setup
-
Configure the following environment variables
Change the cluster name to match your ROSA cluster and ensure you’re logged into the cluster as an Administrator. Ensure all fields are outputted correctly before moving on.
Prepare AWS Account
-
Create an IAM Policy for OpenShift Log Forwarding
-
Create an IAM Role trust policy for the cluster
-
Attach the IAM Policy to the IAM Role
Deploy Operators
-
Deploy the Cluster Logging operator
-
Create a secret
Configure Cluster Logging
-
Create a cluster log forwarding resource
-
Create a cluster logging resource
Check AWS CloudWatch for logs
-
Use the AWS console or CLI to validate that there are log streams from the cluster
Note: If this is a fresh cluster you may not see a log group for
applicationlogs as there are no applications running yet.
Cleanup
-
Delete the Cluster Log Forwarding resource
-
Delete the Cluster Logging resource
-
Detach the IAM Policy to the IAM Role
-
Delete the IAM Role
-
Delete the IAM Policy
Only run this command if there are no other resources using the Policy
-
Delete the CloudWatch Log Groups