Logging in OpenShift is separated into different systems and services that serve a specific purpose.

• Collecting log data - typically done with filebeat, fluentd, logstash or vector
• Storing log data, for example, in an Amazon Web Services (AWS) S3 Bucket - typically done with Loki or Elastic Search
• Visualizing and query log data - typically done in the OpenShift console or in Kibana

There are abbreviations used as shorthand for the collection of systems and services to collect, store and visualize log data.

• EFK (Elastic Search, Fluentd, Kibana)
• ELK (Elastic Search, Logstash, Kibana)
• EVK (Elastic Search, Vector, Kibana)
• LFK (Loki, Fluentd, Kibana)
• LLK (Loki, Logstash, Kibana)
• LVK (Loki, Vector, Kibana)

The first step in configuring OpenShift to collect log data from various different types of resources in your OpenShift cluster, such as nodes, pods, and so on is to install an Operator that will collect the log data. This is often done by installing the Cluster Logging Operator. Check out my article OpenShift - Getting Started with Cluster Logging.

The oc get operators command can be used to list the installed Operators. In this example, the Loki and Elasticsearch and OpenShift Cluster Logging Operators have already been installed.

~]$ oc get operators
NAME                                                              AGE
cluster-logging.openshift-logging                                 604d
elasticsearch-operator.openshift-operators-redhat                 604d
loki-operator.openshift-operators-redhat                          181d

The oc get pods command can be used list the filebeat pods in whatever project filebeat has been deployed to, which is kube-system by default.

oc get pods -n kube-system

Something like this should be returned.

NAME             READY   STATUS    RESTARTS   AGE
filebeat-2ll47   1/1     Running   0          47d
filebeat-4bf2j   1/1     Running   37         18d
filebeat-4btc5   1/1     Running   0          47d
filebeat-4lpk7   1/1     Running   39         18d
filebeat-5srrs   1/1     Running   1          47d
filebeat-5zsds   1/1     Running   39         18d
filebeat-6v4jk   1/1     Running   0          47d
filebeat-7wnzv   1/1     Running   0          47d
filebeat-c4ddh   1/1     Running   0          47d
filebeat-dk9dp   1/1     Running   0          47d
filebeat-h2228   1/1     Running   0          47d
filebeat-lcrkp   1/1     Running   461        47d
filebeat-mmszn   1/1     Running   2251       47d
filebeat-n48jw   1/1     Running   506        47d
filebeat-n62pm   1/1     Running   3942       47d
filebeat-pj2w9   1/1     Running   1          47d
filebeat-qwmfr   1/1     Running   39         18d
filebeat-rc87z   1/1     Running   0          47d
filebeat-rzv8h   1/1     Running   0          47d
filebeat-tcnkd   1/1     Running   0          47d
filebeat-wcfg9   1/1     Running   1          47d
filebeat-wg8nc   1/1     Running   0          47d
filebeat-wrqsd   1/1     Running   0          47d
filebeat-x7bvn   1/1     Running   0          47d
filebeat-z7twl   1/1     Running   0          47d
filebeat-zwlw8   1/1     Running   1          47d

The oc logs command can be used to view the logs in the filebeat pods.

oc logs pod/filebeat-2ll47