Installing logging

Red Hat OpenShift Logging 6.4

Installing Loki Operator, Red Hat OpenShift Logging Operator and Cluster Observability Operator

Red Hat OpenShift Documentation Team

Abstract

This document provides information about installing Loki Operator to manage your log store, Red Hat OpenShift Logging Operator to manage log collection and forwarding, and Cluster Observability Operator for visualization.

Chapter 1. Overview of Red Hat OpenShift Logging installation

Installing Red Hat OpenShift Logging requires planning and preparation before you deploy operators. Complete the prerequisite verification and sizing steps first to avoid common deployment failures.

1.1. Installation workflow

Follow this order to ensure a successful deployment:

Plan and prepare (complete BEFORE installing operators):
- Verify cluster prerequisites (StorageClass availability)
- Configure object storage backend with TLS certificates
- Choose initial deployment size based on cluster size (cannot calculate actual log volume until after installation)
- Verify cluster has sufficient CPU, memory, and storage capacity for the initial size
Install operators:
- Install the Loki Operator
- Install the Red Hat OpenShift Logging Operator
Configure and deploy:
- Create LokiStack custom resource with initial size
- Create ClusterLogForwarder custom resource for log collection
- Verify log collection and storage
Optimize after deployment (24+ hours after installation):
- Measure actual log ingestion rate using metrics
- Adjust LokiStack size if needed based on observed log volume
- Monitor resource utilization

1.2. Operator requirements for different use cases

Not all logging deployments require all three Operators. Choose which Operators to install based on your use case.

Log forwarding only

Install only the Red Hat OpenShift Logging Operator to collect and forward logs to external destinations such as Splunk, Elasticsearch, or cloud logging services.

Operators required: Red Hat OpenShift Logging Operator
Use case: Forward logs to existing external log storage or third-party systems
Storage: No cluster storage required
Visualization: Use external tools (Splunk, Grafana, Kibana)

Log storage without Red Hat visualization

Install the Loki Operator and Red Hat OpenShift Logging Operator to store logs in a LokiStack instance and optionally forward to external destinations.

Operators required: Loki Operator, Red Hat OpenShift Logging Operator
Use case: Store logs in-cluster using LokiStack, query with external Grafana or CLI tools
Storage: Requires object storage (S3-compatible) and persistent volumes
Visualization: Use external Grafana or oc CLI with LogQL queries

Full logging stack with Red Hat visualization

Install all three Operators to deploy the complete logging solution with the OpenShift Container Platform web console log viewer.

Operators required: Loki Operator, Red Hat OpenShift Logging Operator, Cluster Observability Operator
Use case: Complete logging solution with integrated OpenShift Container Platform console visualization
Storage: Requires object storage (S3-compatible) and persistent volumes
Visualization: Use the OpenShift Container Platform web console Observe → Logs interface

Note

You can combine use cases. For example, you can install all three Operators to use the web console visualization while simultaneously forwarding logs to external systems for compliance or long-term archival.

1.3. Preinstallation checklist

Before you install the Operators, verify the following prerequisites. Completing these checks prevents hours of troubleshooting later.

Requirement	Description
✅ StorageClass available	`LokiStack` requires a `StorageClass` for persistent storage for its internal components. The `StorageClass` does not need to be the default, but it must have sufficient available capacity for your chosen LokiStack size. Without an available `StorageClass`, pods remain in `Pending` state and no logs are collected. See Verifying cluster prerequisites.
✅ Object storage created	`LokiStack` requires an S3-compatible object storage backend (AWS S3, GCS, Azure Blob, S3 Compatible storage, Ceph RGW, or Swift) to store log data. Note: It is not possible to accurately estimate required object storage capacity before installation, as log volume cannot be predicted. Start with a reasonable estimate (for example, 1 TB) and monitor actual usage after deployment. See Configuring storage for LokiStack.
✅ TLS CA bundle configured (if needed)	If your object storage uses self-signed certificates or an internal certificate authority, you must create a CA bundle secret. Without this, logs are silently dropped. See Configuring TLS CA bundle.
✅ Initial deployment size chosen	Choose an initial `LokiStack` size (`1x.demo`, `1x.pico`, `1x.extra-small`, `1x.small`, or `1x.medium`) based on your cluster size. You cannot accurately predict log volume before installation. After deployment, you will measure actual log volume and resize if needed. See Loki deployment sizing.
✅ Cluster capacity verified	Ensure your cluster has sufficient CPU, memory, and persistent volume capacity for the chosen deployment size. A `1x.medium` deployment with ruler requires 70 vCPUs and 171 GiB memory.
✅ Network connectivity verified	Test connectivity between your cluster and the object storage endpoint. For cloud-managed storage, verify IAM roles or service accounts are configured correctly.

Important

The most common deployment failures occur when users install operators before completing these prerequisites. Missing an available StorageClass or TLS CA bundle causes silent failures where the LokiStack shows Ready but logs are not collected or stored.

1.4. Deployment scenarios

Select your deployment scenario to determine the required storage backend and sizing.

Cloud deployment (AWS, GCP, Azure)

Storage backend: Use cloud-managed object storage (S3, GCS, Azure Blob Storage)
TLS CA bundle: Typically not required when using standard public endpoints. Required when using custom endpoints, VPC endpoints, or private link configurations with custom certificates.
Authentication: Configure IAM roles (AWS STS recommended) or service accounts
Sizing: Start with 1x.pico or 1x.extra-small for development, 1x.small or 1x.medium for production

On-premise deployment (bare metal, VMware)

Storage backend: Deploy S3 Compatible storage (NetApp StorageGRID and others), Ceph RGW, or use enterprise S3-compatible storage
TLS CA bundle: Required when using self-signed certificates or internal certificate authorities. Not required when using publicly trusted certificates.
Authentication: Create Kubernetes secret with storage credentials
Sizing: Start with 1x.extra-small for development, 1x.small or 1x.medium for production

Edge deployment (single-node clusters, remote sites)

Storage backend: Forward logs to central cluster with LokiStack, or use local S3 Compatible storage with limited retention
StorageClass: Must configure Local Storage Operator or Logical Volume Manager Storage for persistent volumes
Sizing: Use 1x.pico or 1x.extra-small with short retention (7-14 days)
Consider: Log forwarding to central hub instead of local storage for capacity-constrained nodes

Multi-cluster or enterprise deployment

Storage backend: Centralized object storage with multi-region replication
Sizing: 1x.medium or larger, with ruler enabled for alerting and retention policies
Consider: Separate LokiStack instances per environment (dev/staging/prod) or centralized aggregation

1.5. Logging operator overview

Red Hat OpenShift Logging provides three Operators to deploy and manage logging. Each Operator manages a distinct layer of the logging stack:

Loki Operator: Installs into the openshift-operators-redhat namespace. Manages the log store: receives, indices, and stores logs in S3-compatible object storage by using a LokiStack instance.
Red Hat OpenShift Logging Operator: Installs into the openshift-logging namespace. Manages log collection and forwarding: tails container logs and ships them to the log store by using a ClusterLogForwarder instance.
Cluster Observability Operator (COO): Installs into the openshift-cluster-observability-operator namespace. Manages visualization: adds the Logs tab to the web console under Observe → Logs by using a UIPlugin instance.

1.6. Choosing which operators to install

The Operators you need depend on your use case:

Collect and forward logs to a third-party log store: Install only the Red Hat OpenShift Logging Operator.
Store logs in-cluster with LokiStack: Install the Loki Operator first, then the Red Hat OpenShift Logging Operator.
Store logs in-cluster and visualize them in the web console: Install all three operators in this order:
1. Loki Operator
2. Red Hat OpenShift Logging Operator
3. Cluster Observability Operator (COO)

Important

You must install and configure the Loki Operator before configuring the Red Hat OpenShift Logging Operator.
The Loki Operator and the Red Hat OpenShift Logging Operator must use the same major and minor version. For example, both operators must be on stable-6.4.

1.7. Logging storage prerequisites

Before you begin the installation, ensure that you have the following:

Cluster administrator access to an OpenShift Container Platform cluster.
The OpenShift CLI (oc) installed.
A StorageClass available in your cluster for LokiStack internal persistent volume claims (PVCs). Run oc get storageclasses to list available options. If no StorageClass exists, install one first. For bare metal or single-node OpenShift clusters, Logical Volume Manager (LVM) Storage can give a StorageClass.
Access to an S3-compatible object store for log data. Supported providers include AWS S3, Azure, GCP, S3 Compatible storage (NetApp StorageGRID and others), OpenShift Data Foundation, and Swift.

Important

LokiStack requires two separate kinds of storage:

Block storage (StorageClass): For internal PVCs that store the write-ahead log (WAL), index cache, and compactor working space.
Object storage (S3-compatible): For the actual log data chunks and indices.

These are distinct requirements. The storageClassName field in the LokiStack CR refers to block storage, not object storage.

You have reviewed the Loki deployment sizing guidelines to ensure you have enough CPU, memory, persistent volume claims (PVCs), and object storage available. For more information, see the "Additional resources" section.
You have reviewed the cluster nodes to ensure they have enough resources available to support the planned deployment size.

Additional resources

Loki deployment sizing

1.8. Additional resources

Verifying cluster prerequisites
Configuring storage for LokiStack
Loki deployment sizing
Installing the Loki Operator
Installing the Red Hat OpenShift Logging Operator
Creating the LokiStack
Tuning the log store
Configuring log forwarding

Chapter 2. Verifying cluster prerequisites for logging

Before you install the Loki Operator or Red Hat OpenShift Logging Operator, verify that your cluster meets both storage requirements for LokiStack. Missing either storage prerequisite is a common cause of silent deployment failures.

Important

LokiStack requires TWO separate types of storage:

Block storage (via StorageClass): For internal PVCs that store the write-ahead log (WAL), index cache, and compactor working space
Object storage (S3-compatible): For the actual log data chunks and indices

This section covers the first requirement (block storage). Object storage is configured separately in Configuring object storage for LokiStack.

Both storage types are mandatory. Missing either causes deployment failure.

2.1. Why verify prerequisites first

Without a working StorageClass:

Operators install successfully.
The LokiStack shows Ready.
Pods remain Pending and no logs are collected or stored.

Without object storage or a proper CA bundle:

Operators install successfully.
The LokiStack shows Ready.
Logs are silently dropped with no user-facing error.

Complete these checks now to prevent troubleshooting issues later. See KCS-7062821 for examples of support cases caused by unclear storage requirements.

2.2. Object storage permissions requirements

The credentials used to access S3-compatible object storage must have specific permissions to allow LokiStack to read, write, and manage log data.

2.2.1. Required S3 API permissions

The following S3 API permissions are required for LokiStack to function correctly:

Permission	Purpose
`s3:ListBucket`	List objects in the bucket. Required for LokiStack to query and retrieve stored log chunks.
`s3:PutObject`	Write log chunks and index files to the bucket. Required for log ingestion.
`s3:GetObject`	Read log chunks and index files from the bucket. Required for log queries and compaction.
`s3:DeleteObject`	Delete expired log chunks based on retention policies. Required for the compactor component.
`s3:GetObjectTagging`	Read object tags. Required for retention and lifecycle management.
`s3:PutObjectTagging`	Write object tags. Required for retention and lifecycle management.

Important

Without s3:DeleteObject permission, the LokiStack compactor cannot remove expired logs. This causes the bucket to grow indefinitely, even when retention policies are configured. The LokiStack shows Ready but old logs are never deleted.

2.2.2. Example IAM policy for AWS S3

If using Amazon S3, create an IAM policy with the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::<bucket_name>"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:GetObjectTagging",
        "s3:PutObjectTagging"
      ],
      "Resource": "arn:aws:s3:::<bucket_name>/*"
    }
  ]
}

Replace <bucket_name> with your actual S3 bucket name.

2.2.3. Permissions for S3 Compatible storage

For S3 Compatible storage providers (NetApp StorageGRID, Cloudian HyperStore, and others), ensure the access credentials have equivalent permissions to the S3 API operations listed above. The exact configuration method varies by storage provider.

Consult your storage provider’s documentation for:

How to create users or service accounts
How to grant S3 API permissions to those accounts
Whether additional permissions are required for your specific storage implementation

Note

Some S3 Compatible storage providers use different permission models or naming conventions. Verify that your credentials can perform all six S3 operations listed above.

Additional resources

2.3. Verifying StorageClass availability

LokiStack requires a StorageClass that supports dynamic provisioning of block storage (ReadWriteOnce). The StorageClass does not need to be the default, but it must have sufficient available capacity for your chosen LokiStack size.

Prerequisites

You have cluster administrator permissions.
You are logged in to the cluster with oc.

Procedure

List available StorageClass resources:
```
$ oc get storageclass
```
Identify the StorageClass you will use for LokiStack. It can be the default StorageClass (marked with (default)) or any other available StorageClass:
```
$ oc get storageclass -o=jsonpath='{.items[?(@.metadata.annotations.storageclass\.kubernetes\.io/is-default-class=="true")].metadata.name}'
```
Verify the StorageClass supports block storage (strongly recommended for Loki performance):
Look for a provisioner such as ebs.csi.aws.com, csi.vsphere.vmware.com, openshift-storage.ceph.rbd, or similar.
Important
Loki supports both block and filesystem storage, but filesystem storage introduces significant performance issues and is not recommended for production deployments. Always use block storage (volumeMode: Block) when available.
Verify the StorageClass has sufficient available capacity:
Check the disk space requirements from the Loki sizing table. For example, 1x.medium with ruler requires 910 GiB of total disk capacity across all PVCs.

Note

If no suitable StorageClass exists, LokiStack PVCs remain Pending and pods never start. You must configure a StorageClass before installing the operators. If you do not want to use the default StorageClass, you can specify storageClassName explicitly in the LokiStack CR.

Next step

If you are on single-node OpenShift or an edge deployment without dynamic storage, configure local storage for single-node and edge deployments.

2.4. Configuring local storage for single-node and edge deployments

Single-node OpenShift and many edge deployments do not include a StorageClass. Use the Local Storage Operator or Logical Volume Manager Storage to create one from local disks.

Prerequisites

You have cluster administrator permissions.
Raw, unformatted block devices are available on the node(s).
The cluster is not using OpenShift Data Foundation (consider OpenShift Data Foundation for larger environments).

Procedure

Create the project, if it does not exist, by running the following command:
```
$ oc adm new-project openshift-local-storage
```
Install the Local Storage Operator from OperatorHub (Web Console) or via Subscription YAML. Use the stable channel.

Create a LocalVolume CR for block devices (recommended for Loki):

Example: localvolume-block.yaml

apiVersion: local.storage.openshift.io/v1
kind: LocalVolume
metadata:
  name: local-block
  namespace: openshift-local-storage
spec:
  nodeSelector:
    nodeSelectorTerms:
    - matchExpressions:
      - key: kubernetes.io/hostname
        operator: In
        values:
        - <your_node_name>
  storageClassDevices:
  - storageClassName: local-block
    volumeMode: Block
    devicePaths:
    - /dev/disk/by-id/<device_id>
    fsType: ""

<your_node_name>: Replace with your node name or use node labels for selection.
storageClassName: local-block: This value becomes your new StorageClass name.
<device_id>: Use stable by-id paths for device identification.

Apply it by running the following command:
```
$ oc apply -f localvolume-block.yaml
```
Verify the new StorageClass by running the following command:
```
$ oc get storageclass local-block
```
Optional: Make it the default StorageClass.

Verification

After the LokiStack is created, check that PVCs bind by running the following command:

$ oc get pvc -n openshift-logging

2.5. Additional resources

Configuring object storage for LokiStack
Installing the Loki Operator

Chapter 3. Configuring object storage for LokiStack

Before you create a LokiStack custom resource, you must prepare your object storage backend. This is the second of two storage types that you must configure.

Important

This section covers object storage configuration, which is separate from the block storage (StorageClass) requirement verified in Verifying cluster prerequisites.

Both storage types are mandatory:

Block storage (StorageClass): For LokiStack internal PVCs - verified first
Object storage (S3-compatible): For actual log data - configured in this section

The storageClassName field in the LokiStack CR refers to block storage, NOT object storage. Object storage is configured via the secret referenced in spec.storage.secret.name.

LokiStack requires an S3-compatible object storage backend to store log chunks and indices. You must configure the storage backend and create a Kubernetes secret with the credentials before you create the LokiStack custom resource.

3.1. Storage backend selection guide

Selecting the right object storage backend is critical for LokiStack performance, cost, and reliability. As a cluster administrator, you must confirm that your choice meets your log volume and retention requirements.

Table 3.1. Storage selection decision tree

Environment	Recommended Backend	CA Bundle Required?
Public Cloud (AWS)	Amazon S3	Depends on configuration ¹
Public Cloud (GCP)	Google Cloud Storage (GCS)	Depends on configuration ¹
Public Cloud (Azure)	Azure Blob Storage	Depends on configuration ¹
On-site	Red Hat OpenShift Data Foundation Ceph RGW (RADOS Gateway) ²	Depends on configuration ³
On-site	S3 Compatible storage ⁴	Depends on configuration ³
Edge and single-node	Forward to central hub	N/A

¹ CA bundle required when using: custom endpoints with self-signed certificates, VPC endpoints with internal CAs, or private link configurations with custom certificate chains. Not required when using standard public cloud endpoints with publicly trusted certificates.

² Ceph RGW (RADOS Gateway) is also known as NooBaa in Rook implementations of OpenShift Data Foundation.

³ CA bundle required when using self-signed certificates or internal certificate authorities. Not required when using publicly trusted certificates from a recognized CA.

⁴ S3 Compatible storage includes NetApp StorageGRID, Cloudian HyperStore, and other S3-compatible providers.

Key considerations:

Public Clouds: Use cloud-native options such as Amazon S3, GCS, or Azure Blob. These are the most tested and natively supported backends.
On-site: OpenShift Data Foundation (Ceph RGW) is the recommended solution for Red Hat OpenShift.
Sizing: Your choice of backend affects retention policies and query performance.
Air-gapped clusters: Ensure your internal storage provider is reachable from all nodes in the cluster.

3.2. Object storage permissions requirements

The credentials used to access S3-compatible object storage must have specific permissions to allow LokiStack to read, write, and manage log data.

3.2.1. Required S3 API permissions

The following S3 API permissions are required for LokiStack to function correctly:

Permission	Purpose
`s3:ListBucket`	List objects in the bucket. Required for LokiStack to query and retrieve stored log chunks.
`s3:PutObject`	Write log chunks and index files to the bucket. Required for log ingestion.
`s3:GetObject`	Read log chunks and index files from the bucket. Required for log queries and compaction.
`s3:DeleteObject`	Delete expired log chunks based on retention policies. Required for the compactor component.
`s3:GetObjectTagging`	Read object tags. Required for retention and lifecycle management.
`s3:PutObjectTagging`	Write object tags. Required for retention and lifecycle management.

Important

3.2.2. Example IAM policy for AWS S3

If using Amazon S3, create an IAM policy with the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::<bucket_name>"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:GetObjectTagging",
        "s3:PutObjectTagging"
      ],
      "Resource": "arn:aws:s3:::<bucket_name>/*"
    }
  ]
}

Replace <bucket_name> with your actual S3 bucket name.

3.2.3. Permissions for S3 Compatible storage

Consult your storage provider’s documentation for:

How to create users or service accounts
How to grant S3 API permissions to those accounts
Whether additional permissions are required for your specific storage implementation

Note

Some S3 Compatible storage providers use different permission models or naming conventions. Verify that your credentials can perform all six S3 operations listed above.

Additional resources

3.3. Configuring a TLS CA bundle for object storage

Many on-site and self-signed object storage solutions, such as S3 Compatible storage, Ceph RGW (RADOS Gateway), or Red Hat OpenShift Data Foundation, require a CA bundle so that LokiStack components can trust the storage endpoint.

Caution

If your storage uses self-signed or internal certificates and you do not configure the CA bundle, the LokiStack will show Ready but logs will be silently dropped. No error is displayed in the web console.

LokiStack component pods (ingesters, queriers, compactors) will show the following error in their logs: x509: certificate signed by unknown authority

To check for this error, examine the logs of LokiStack component pods by running the following commands:

$ oc logs -n openshift-logging <lokistack_ingester_pod> | grep -i "x509\|certificate"
$ oc logs -n openshift-logging <lokistack_querier_pod> | grep -i "x509\|certificate"

Prerequisites

You have administrator access to the cluster.
You have access to the storage backend CA certificate.

Procedure

Extract the CA certificate from your storage provider by running the following command. For example, if using S3 Compatible storage, you can use openssl:
```
$ openssl s_client -connect <storage_endpoint>:<port> -showcerts </dev/null 2>/dev/null | openssl x509 -out storage-ca.crt
```
Note
If you are using OpenShift Data Foundation Ceph RGW (provided by the NooBaa service in Rook deployments), you might need to use the openshift-service-ca.crt from the openshift-service-ca config map.
Create a ConfigMap in the openshift-logging namespace containing the CA certificate by running the following command:
```
$ oc create configmap loki-s3-ca-bundle \
    -n openshift-logging \
    --from-file=ca-bundle.crt=./storage-ca.crt
```

Reference the CA bundle ConfigMap in your LokiStack custom resource (CR) under spec.storage.tls:

apiVersion: loki.storage.openshift.io/v1
kind: LokiStack
metadata:
  name: logging-loki
  namespace: openshift-logging
spec:
  storage:
    schemas:
    - version: v13
      effectiveDate: "2024-10-01"
    secret:
      name: logging-loki-s3
      type: s3
    tls:
      caName: loki-s3-ca-bundle
  storageClassName: <storage_class_name>
  tenants:
    mode: openshift-logging

The caName field references the ConfigMap created in step 2.

Verification

After creating the LokiStack, verify that component pods can reach the storage endpoint without TLS errors by running the following commands:

$ oc get pods -n openshift-logging | grep lokistack
$ oc logs -n openshift-logging <lokistack_ingester_pod> | grep -i "error\|x509\|certificate"

A successful configuration shows no certificate verification errors in the logs.

3.4. Configuring Amazon S3 for LokiStack

As a cluster administrator, you can use Amazon Web Services (AWS) object storage to store logs. Amazon S3 is a well-tested and natively supported backend for LokiStack.

Prerequisites

You have an AWS account with permissions to create S3 buckets and IAM policies.
You have created an S3 bucket.
You have created IAM credentials with the required S3 API permissions. See the object storage permissions requirements.
You have cluster administrator permissions.

Procedure

Create an object storage secret with the name logging-loki-s3:

For standard AWS authentication:

$ oc create secret generic logging-loki-s3 \
  -n openshift-logging \
  --from-literal=bucketnames="<bucket_name>" \
  --from-literal=endpoint="https://s3.<region>.amazonaws.com" \
  --from-literal=access_key_id="<aws_access_key_id>" \
  --from-literal=access_key_secret="<aws_access_key_secret>" \
  --from-literal=region="<aws_region>"

For clusters with Security Token Service (STS) enabled:

$ oc -n openshift-logging create secret generic "logging-loki-s3" \
  --from-literal=bucketnames="<s3_bucket_name>" \
  --from-literal=region="<bucket_region>" \
  --from-literal=audience="<oidc_audience>"

Verification

Run the following command to verify that the secret was created successfully:

$ oc get secret logging-loki-s3 -n openshift-logging

3.5. Configuring Google Cloud Storage for LokiStack

You can use Google Cloud Storage (GCS) to store logs in Google Cloud.

Prerequisites

You have a project on Google Cloud.
You have created a bucket in the project.
You have created a service account with the necessary permissions.
You have cluster administrator permissions.

Procedure

Obtain the service account credentials from Google Cloud and save them as key.json.

Create an object storage secret with the name logging-loki-s3:

$ oc create secret generic logging-loki-s3 \
  -n openshift-logging \
  --from-literal=bucketname="<bucket_name>" \
  --from-file=key.json="./key.json"

Verification

Run the following command to verify that the secret was created successfully:

$ oc get secret logging-loki-s3 -n openshift-logging

3.6. Configuring Azure Blob Storage for LokiStack

You can use Azure Blob Storage to store logs in Microsoft Azure.

Prerequisites

You have an Azure storage account and a container.
You have cluster administrator permissions.

Procedure

Create an object storage secret with the name logging-loki-s3:

For standard Azure authentication:

$ oc create secret generic logging-loki-s3 \
  -n openshift-logging \
  --from-literal=container="<azure_container_name>" \
  --from-literal=environment="<azure_environment>" \
  --from-literal=account_name="<azure_account_name>" \
  --from-literal=account_key="<azure_account_key>"

Supported environment values are AzureGlobal, AzureChinaCloud, AzureGermanCloud, or AzureUSGovernment.

For clusters with Microsoft Entra Workload ID enabled:

$ oc -n openshift-logging create secret generic logging-loki-s3 \
  --from-literal=environment="<azure_environment>" \
  --from-literal=account_name="<storage_account_name>" \
  --from-literal=container="<container_name>"

Verification

Run the following command to verify that the secret was created successfully:

$ oc get secret logging-loki-s3 -n openshift-logging

3.7. Configuring S3 Compatible storage for LokiStack

You can use any S3 Compatible object storage to store logs. This includes NetApp StorageGRID, Cloudian HyperStore, Hitachi Content Platform (HCP), and other S3-compatible storage providers.

Note

S3 Compatible storage uses different secret parameters than AWS S3. Do not use AWS-specific parameters like region for S3 Compatible storage.

Prerequisites

You have S3 Compatible storage deployed and accessible.
You have created a bucket on your S3 Compatible storage.
You have created access credentials with the required S3 API permissions. See Object storage permissions requirements.
You have cluster administrator permissions.

Procedure

Create an object storage secret with the name logging-loki-s3:
```
$ oc create secret generic logging-loki-s3 \
  -n openshift-logging \
  --from-literal=bucketnames="<bucket_name>" \
  --from-literal=endpoint="<s3_endpoint_url>" \  1
  --from-literal=access_key_id="<access_key>" \
  --from-literal=access_key_secret="<secret_key>" \
  --from-literal=forcepathstyle="true"  2
```
1
The full endpoint URL, including protocol and port (for example, https://s3.example.com:9000). Do NOT include the bucket name in the endpoint.
2
The forcepathstyle="true" parameter is required for S3 Compatible storage. This is NOT used for AWS S3.
If your S3 Compatible storage uses self-signed certificates or an internal CA, configure the TLS CA bundle. Follow Configuring a TLS CA bundle for object storage.
Important
Skipping the CA bundle configuration when using self-signed certificates causes logs to be silently dropped. The LokiStack shows Ready but logs are not stored.

Verification

Verify the secret was created successfully:

$ oc get secret logging-loki-s3 -n openshift-logging

Additional resources

Configuring a TLS CA bundle for object storage

3.8. Configuring Ceph RGW for LokiStack

You can use Red Hat OpenShift Data Foundation object storage to store logs on site.

Prerequisites

You have deployed OpenShift Data Foundation.
You have configured your OpenShift Data Foundation cluster for object storage.
You have cluster administrator permissions.

Procedure

Create an ObjectBucketClaim custom resource in the openshift-logging namespace:
```
apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
  name: loki-bucket-odf
  namespace: openshift-logging
spec:
  generateBucketName: loki-bucket-odf
  storageClassName: openshift-storage.ceph.rbd  1
```
1
For OpenShift Data Foundation deployments, use openshift-storage.ceph.rbd for block storage. The object storage endpoint is provided via Ceph RGW (RADOS Gateway), also known as NooBaa in Rook implementations.
Get the bucket properties and credentials from the associated ConfigMap and Secret objects.

Create an object storage secret with the name logging-loki-s3:

$ oc create -n openshift-logging secret generic logging-loki-s3 \
  --from-literal=access_key_id="<access_key_id>" \
  --from-literal=access_key_secret="<secret_access_key>" \
  --from-literal=bucketnames="<bucket_name>" \
  --from-literal=endpoint="https://<bucket_host>:<bucket_port>" \
  --from-literal=forcepathstyle="true"

Optional: If your Ceph RGW installation uses self-signed certificates, follow Configuring a TLS CA bundle for object storage.
Note
If using the default Red Hat OpenShift Data Foundation Ceph RGW endpoint (NooBaa service in Rook deployments), you might need to use the service CA certificate.

Verification

Run the following command to verify that the secret was created successfully:

$ oc get secret logging-loki-s3 -n openshift-logging

3.9. Additional resources

Installing the Loki Operator
Installing the Red Hat OpenShift Logging Operator

Chapter 4. Loki deployment sizing

Before you install the Loki Operator, choose an initial LokiStack deployment size based on your cluster size. After installation, you measure actual log volume and adjust the deployment size as needed. Starting with an appropriate initial size ensures a smooth deployment and minimizes the need for resizing.

4.1. Understanding Loki deployment sizing

Understanding how to size your Loki deployment helps you avoid performance issues and ensure logs are reliably collected and queryable.

4.1.1. What is QPS (Queries Per Second)?

QPS (Queries Per Second) measures the rate of log queries against your LokiStack. Common sources of queries include:

User queries from the OpenShift web console
Dashboard auto-refresh intervals (for example, Grafana dashboards refreshing every 30 seconds)
Alert rule evaluations running continuously
API queries from monitoring and observability tools

A single user running multiple dashboards can generate 10-20 QPS. The sizing table shows average QPS at 200ms query latency.

4.1.2. How log volume affects sizing

Log volume directly impacts the resources required for Loki components:

Ingestion rate (GB/day): Drives ingester CPU and memory requirements. Higher log volume requires more ingesters to handle the write load.
Retention period: Drives object storage capacity. Retention multiplied by daily log volume determines total storage needed (for example, 100 GB/day × 30 days = 3 TB storage).
Query time range: Affects querier resource requirements. Queries across longer time ranges require more memory and CPU to process results.

4.1.3. Ruler component CPU requirements

The ruler component evaluates alerting rules and retention policies continuously. Enabling the ruler significantly increases CPU requirements:

Processes alerting rules against incoming log streams
Evaluates retention policies for log deletion
Scales based on: number of tenants × number of rules × log data volume

For example, the 1x.medium size requires: * Without ruler: 34 vCPUs * With ruler: 42 vCPUs (+8 vCPUs for ruler evaluation)

4.1.4. Determining initial deployment size

Because log volume cannot be predicted before installation, use these baseline recommendations:

Small clusters (≤10 nodes): Start with 1x.extra-small size
Medium to large clusters (>10 nodes): Start with 1x.medium size
Single-node OpenShift (SNO) or edge: Start with 1x.pico size (minimum viable deployment)

Important

You cannot accurately estimate log volume before installation. Factors that make pre-installation sizing impossible:

A single pod can produce 100 GB/day of logs
Log volume varies dramatically based on application verbosity, not pod count
Infrastructure logs (journald) and audit logs are not produced by containers
Cluster activity (pod creation/deletion) affects log volume independently of workload size

Start with a baseline size and adjust after monitoring actual log production.

4.1.5. Calculating sizing after installation

After the logging stack is running, calculate the correct size based on observed metrics:

Procedure

Wait at least 24 hours after installation to capture representative log volume patterns.

Query the actual log ingestion rate using Prometheus:

sum by (component_name) (rate(vector_component_sent_bytes_total{component_type="loki", component_kind="sink"}[5m]))

Convert the rate to GB/day and compare against the sizing table:

# Example: If query returns 5242880 bytes/second
# = 5242880 * 86400 / 1073741824 = ~421 GB/day
# → Requires 1x.small (500 GB/day capacity)

Update the LokiStack CR with the new size if needed:
```
spec:
  size: 1x.small  # Updated from initial 1x.extra-small
```
Monitor CPU and memory utilization to ensure the deployment is not resource-constrained.

Note

Resizing a LokiStack triggers a rolling restart of components. Plan resizing during maintenance windows.

4.2. Loki deployment sizing

Sizing for Loki follows the format of 1x.<size> where the value 1x is number of instances and <size> specifies performance capabilities.

The 1x.pico configuration defines a single Loki deployment with minimal resource and limit requirements, offering high availability (HA) support for all Loki components. This configuration is suited for deployments that do not require a single replication factor or auto-compaction.

Disk requests are similar across size configurations, allowing customers to test different sizes to determine the best fit for their deployment needs.

Important

It is not possible to change the number 1x for the deployment size.

Table 4.1. Loki sizing

	1x.demo	1x.pico [6.1+ only]	1x.extra-small	1x.small	1x.medium
Data transfer	Demo use only	50GB/day	100GB/day	500GB/day	2TB/day
Queries per second (QPS)	Demo use only	1-25 QPS at 200ms	1-25 QPS at 200ms	25-50 QPS at 200ms	25-75 QPS at 200ms
Replication factor	None	2	2	2	2
Total CPU requests	None	7 vCPUs	14 vCPUs	34 vCPUs	54 vCPUs
Total CPU requests if using the ruler	None	8 vCPUs	16 vCPUs	42 vCPUs	70 vCPUs
Total memory requests	None	17Gi	31Gi	67Gi	139Gi
Total memory requests if using the ruler	None	18Gi	35Gi	83Gi	171Gi
Total disk requests	40Gi	590Gi	430Gi	430Gi	590Gi
Total disk requests if using the ruler	60Gi	910Gi	750Gi	750Gi	910Gi

4.3. Additional resources

Verifying cluster prerequisites for logging
Configuring object storage for LokiStack
Installing the Loki Operator

Chapter 5. Installing the Loki Operator

The Loki Operator deploys and manages a LokiStack instance that serves as the log store for logging. You can install the Loki Operator by using the OpenShift CLI (oc) or the OpenShift Container Platform web console.

5.1. Loki deployment sizing

Sizing for Loki follows the format of 1x.<size> where the value 1x is number of instances and <size> specifies performance capabilities.

Important

It is not possible to change the number 1x for the deployment size.

Table 5.1. Loki sizing

	1x.demo	1x.extra-small	1x.small	1x.medium
Data transfer	Demo use only	100GB/day	500GB/day	2TB/day
Queries per second (QPS)	Demo use only	1-25 QPS at 200ms	25-50 QPS at 200ms	25-75 QPS at 200ms
Replication factor	None	2	2	2
Total CPU requests	None	14 vCPUs	34 vCPUs	54 vCPUs
Total memory requests	None	31Gi	67Gi	139Gi
Total disk requests	40Gi	430Gi	430Gi	590Gi

5.2. Loki object storage

The Loki Operator supports AWS S3 and other S3-compatible object stores such as S3 Compatible storage (NetApp StorageGRID and others) and OpenShift Data Foundation. Azure, Google Cloud Storage (GCS), and Swift are also supported.

The recommended nomenclature for Loki storage is logging-loki-<your_storage_provider>.

The following table shows the type values within the LokiStack custom resource (CR) for each storage provider. For detailed configuration instructions for each provider, see Configuring object storage for LokiStack.

Table 5.2. Secret type quick reference

Storage provider	Secret `type` value
AWS	s3
Azure	azure
Google Cloud	gcs
S3 Compatible storage	s3
OpenShift Data Foundation	s3
Swift	swift

5.3. Installing the Loki Operator by using the CLI

Install the Loki Operator to manage the LokiStack log store by using the OpenShift CLI (oc).

Prerequisites

You have administrator permissions.
You have installed the OpenShift CLI (oc).
You have access to a supported object store.

Procedure

Create a Namespace object for the Loki Operator:
```
apiVersion: v1
kind: Namespace
metadata:
  name: openshift-operators-redhat
  labels:
    openshift.io/cluster-monitoring: "true"
```
metadata.name
You must specify openshift-operators-redhat as the namespace for the Loki Operator. The openshift-operators namespace might contain community Operators, which are untrusted and could publish metrics with the same name as OpenShift Container Platform metrics, causing conflicts.
metadata.labels."openshift.io/cluster-monitoring"
A string value that enables cluster monitoring to scrape this namespace.
Apply the Namespace object by running the following command:
```
$ oc apply -f <filename>.yaml
```

Create an OperatorGroup object:

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: loki-operator
  namespace: openshift-operators-redhat
spec:
  upgradeStrategy: Default

Apply the OperatorGroup object by running the following command:
```
$ oc apply -f <filename>.yaml
```
Create a Subscription object for the Loki Operator:
```
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: loki-operator
  namespace: openshift-operators-redhat
spec:
  channel: stable-6.4
  installPlanApproval: Automatic
  name: loki-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
```
spec.channel
Specify stable-6.4 as the channel.
spec.installPlanApproval
If the approval strategy in the subscription is set to Automatic, the update process initiates as soon as a new Operator version is available in the selected channel. If the approval strategy is set to Manual, you must manually approve pending updates.
spec.source
Specify redhat-operators as the value. If your OpenShift Container Platform cluster is installed on a restricted network, also known as a disconnected cluster, specify the name of the CatalogSource object that you created when you configured Operator Lifecycle Manager (OLM).
Warning
A community loki-operator package also exists in the community-operators catalog source. You must specify redhat-operators to install the supported Red Hat version. Using the wrong source installs the upstream community version with different channel names.
Apply the Subscription object by running the following command:
```
$ oc apply -f <filename>.yaml
```

Verify that the operator installed successfully by running the following command:

$ oc get csv -n openshift-operators-redhat

You get an output similar to the following example:

NAME                                     DISPLAY         VERSION                PHASE
loki-operator.v6.4.0   Loki Operator   6.4.0     Succeeded

5.4. Installing the Loki Operator by using the web console

Install the Loki Operator to manage the LokiStack log store from the OperatorHub by using the OpenShift Container Platform web console.

Prerequisites

You have administrator permissions.
You have access to the OpenShift Container Platform web console.
You have access to a supported object store (AWS S3, GCP, Azure, S3 Compatible storage, OpenShift Data Foundation, or Swift).

Procedure

In the OpenShift Container Platform web console Administrator perspective:
- For OpenShift Container Platform 4.19 or earlier, click Operators → OperatorHub.
- For OpenShift Container Platform 4.20 or later, click Ecosystem → Software Catalog.
Type Loki Operator in the Filter by keyword field. Click Loki Operator in the list of available Operators, and then click Install.
Important
The Community Loki Operator is not supported by Red Hat. Select the operator provided by Red Hat.
Select stable-6.4 as the Update channel.
The Loki Operator must be deployed to the global Operator group namespace openshift-operators-redhat, so the Installation mode and Installed Namespace are already selected. If this namespace does not already exist, it is created for you.
Select Enable Operator-recommended cluster monitoring on this namespace.
This option sets the openshift.io/cluster-monitoring: "true" label in the Namespace object. You must select this option to ensure that cluster monitoring scrapes the openshift-operators-redhat namespace.
For Update approval select Automatic, then click Install.
Note
An Operator might display a Failed status before the installation completes. If the Operator installation completes with an InstallSucceeded message, refresh the page.

Verification

Navigate to the Installed Operators page.
Verify that the Loki Operator displays with a Status of Succeeded.

5.5. Creating the openshift-logging namespace

The LokiStack instance and all logging workloads run in the openshift-logging namespace. Create this namespace if it does not already exist.

Procedure

Create a Namespace object:
```
apiVersion: v1
kind: Namespace
metadata:
  name: openshift-logging
  labels:
    openshift.io/cluster-monitoring: "true"
```
metadata.name
The openshift-logging namespace is dedicated for all logging workloads.
metadata.labels."openshift.io/cluster-monitoring"
A string value that enables cluster monitoring to scrape this namespace.
Apply the Namespace object by running the following command:
```
$ oc apply -f <filename>.yaml
```

5.6. Creating the object storage secret

Create a secret with the credentials for your S3-compatible object store. The Loki Operator requires this secret to configure the LokiStack to store log data.

Procedure

Create a Secret object with your object storage credentials. For provider-specific parameters, see the storage configuration documentation.
Example Secret object for AWS S3
```
apiVersion: v1
kind: Secret
metadata:
  name: logging-loki-s3
  namespace: openshift-logging
stringData:
  access_key_id: <your_access_key_id>
  access_key_secret: <your_secret_access_key>
  bucketnames: <your_bucket_name>
  endpoint: <your_s3_endpoint>
  region: <your_region>
```
metadata.name
Use the name logging-loki-s3 to match the reference in the LokiStack CR.
metadata.namespace
You must create this secret in the openshift-logging namespace.
access_key_id
Your S3 access key ID.
access_key_secret
Your S3 secret access key.
bucketnames
The name of a pre-created S3 bucket, for example loki.
endpoint
The full endpoint URL. For AWS: https://s3.<region>.amazonaws.com. For S3 Compatible storage: https://s3.example.com:9000.
region
The S3 region, for example us-east-1.
Note
The field names access_key_id, access_key_secret, bucketnames, and endpoint are specific to the Loki Operator. They do not match the standard AWS SDK environment variable names.
Apply the Secret object by running the following command:
```
$ oc apply -f <filename>.yaml
```

5.7. Next steps

Create the LokiStack custom resource
Install the Red Hat OpenShift Logging Operator
Configure log forwarding

5.8. Additional resources

Configuring object storage for LokiStack - Detailed configuration procedures for each storage provider
Installing the Red Hat OpenShift Logging Operator

Chapter 6. Installing the Red Hat OpenShift Logging Operator

The Red Hat OpenShift Logging Operator deploys and manages the log collector (Vector) that tails container logs and forwards them to a log store. You can install the Red Hat OpenShift Logging Operator by using the OpenShift CLI (oc) or the OpenShift Container Platform web console.

6.1. Installing the Red Hat OpenShift Logging Operator by using the CLI

Install the Red Hat OpenShift Logging Operator to manage log collection and forwarding by using the OpenShift CLI (oc).

Prerequisites

You have administrator permissions.
You have installed the OpenShift CLI (oc).
You have installed and configured the Loki Operator and deployed a LokiStack instance.
You have created the openshift-logging namespace.

Procedure

Create an OperatorGroup object:

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: cluster-logging
  namespace: openshift-logging
spec:
  upgradeStrategy: Default

Apply the OperatorGroup object by running the following command:
```
$ oc apply -f <filename>.yaml
```
Create a Subscription object for the Red Hat OpenShift Logging Operator:
```
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: cluster-logging
  namespace: openshift-logging
spec:
  channel: stable-6.4
  installPlanApproval: Automatic
  name: cluster-logging
  source: redhat-operators
  sourceNamespace: openshift-marketplace
```
spec.channel
Specify stable-6.4 as the channel. This must match the channel used for the Loki Operator.
spec.source
Specify redhat-operators as the value. If your OpenShift Container Platform cluster is installed on a restricted network, specify the name of the CatalogSource object you created when you configured OLM.
Apply the Subscription object by running the following command:
```
$ oc apply -f <filename>.yaml
```

Verify that the operator installed successfully by running the following command:

$ oc get csv -n openshift-logging

You get an output similar to the following example:

NAME                                            DISPLAY                      VERSION                       PHASE
cluster-logging.v6.4.0   Red Hat OpenShift Logging   6.4.0     Succeeded

6.2. Creating the collector service account and RBAC

The log collector requires a service account with specific cluster roles to read container logs and write to the LokiStack.

Procedure

Create a service account for the log collector:
```
$ oc create sa logging-collector -n openshift-logging
```
Assign the required cluster roles to the service account:
```
$ oc adm policy add-cluster-role-to-user logging-collector-logs-writer \
    -z logging-collector -n openshift-logging
```
```
$ oc adm policy add-cluster-role-to-user collect-application-logs \
    -z logging-collector -n openshift-logging
```
```
$ oc adm policy add-cluster-role-to-user collect-infrastructure-logs \
    -z logging-collector -n openshift-logging
```
Note
These three cluster roles are created by the Red Hat OpenShift Logging Operator:
- logging-collector-logs-writer: Allows writing logs to the LokiStack.
- collect-application-logs: Allows reading application container logs.
- collect-infrastructure-logs: Allows reading infrastructure container logs.
If you also want to collect audit logs, add the collect-audit-logs cluster role.

Warning

You must grant the ClusterRoleBindings to the service account before adding the corresponding input type to the ClusterLogForwarder custom resource (CR). If you add an input type to the CR without the required RBAC binding, the entire log collector DaemonSet is destroyed and all log collection fails.

6.3. Creating the ClusterLogForwarder

Create a ClusterLogForwarder CR to define how logs are collected and where they are forwarded.

Procedure

Create a ClusterLogForwarder CR:
```
apiVersion: observability.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
spec:
  serviceAccount:
    name: collector
  outputs:
  - name: lokistack-out
    type: lokiStack
    lokiStack:
      target:
        name: logging-loki
        namespace: openshift-logging
      authentication:
        token:
          from: serviceAccount
    tls:
      ca:
        key: service-ca.crt
        configMapName: logging-loki-gateway-ca-bundle
  pipelines:
  - name: infra-app-logs
    inputRefs:
    - application
    - infrastructure
    outputRefs:
    - lokistack-out
```
spec.serviceAccount.name
Specify the service account created in the previous step.
outputs[0].type
Select the lokiStack output type to send logs to the LokiStack instance.
outputs[0].lokiStack.target.name
Must match the name of the LokiStack instance you created.
outputs[0].tls.ca
Required. The LokiStack gateway uses the OpenShift service-serving CA for TLS. Without this block, the collector fails with certificate verify failed: self-signed certificate in certificate chain.
pipelines[0].inputRefs
Select the log types to forward. Options: application, infrastructure, and audit.
Important
The tls.ca block is required when forwarding logs to a LokiStack in the same cluster. The LokiStack gateway endpoint uses a TLS certificate signed by the cluster’s service-serving CA, which is not in the system truststore. If you omit this block, the ClusterLogForwarder status might show Ready: True, but the collector pods fail to connect at runtime.
Apply the ClusterLogForwarder CR by running the following command:
```
$ oc apply -f <filename>.yaml
```

6.4. Installing the Red Hat OpenShift Logging Operator by using the web console

Install the Red Hat OpenShift Logging Operator to manage log collection and forwarding from the OperatorHub by using the OpenShift Container Platform web console.

Prerequisites

You have administrator permissions.
You have access to the OpenShift Container Platform web console.
You installed and configured the Loki Operator and deployed a LokiStack instance.

Procedure

In the OpenShift Container Platform web console Administrator perspective, go to Operators → OperatorHub.
Type Red Hat OpenShift Logging in the Filter by keyword field. Click Red Hat OpenShift Logging Operator in the list of available Operators, and then click Install.
Select stable-6.4 as the Update channel.
The Red Hat OpenShift Logging Operator must be deployed to the openshift-logging namespace, so the Installation mode and Installed Namespace are already selected. If this namespace does not already exist, it is created for you.
Select Enable Operator-recommended cluster monitoring on this namespace.
This option sets the openshift.io/cluster-monitoring: "true" label in the Namespace object. You must select this option to ensure that cluster monitoring scrapes the openshift-logging namespace.
For Update approval select Automatic, then click Install.
Note
An Operator might display a Failed status before the installation completes. If the Operator installation completes with an InstallSucceeded message, refresh the page.
While the Operator installs, create the service account for the log collector:
1. Click the + button in the top right of the screen to access the Import YAML page.
2. Enter the following YAML to create the service account:
```
apiVersion: v1
kind: ServiceAccount
metadata:
  name: logging-collector
  namespace: openshift-logging
```
3. Click Create.

Create the required cluster role bindings for the log collector. Click the + button again and enter the following YAML:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: logging-collector:write-logs
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: logging-collector-logs-writer
subjects:
- kind: ServiceAccount
  name: logging-collector
  namespace: openshift-logging
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: logging-collector:collect-application
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: collect-application-logs
subjects:
- kind: ServiceAccount
  name: logging-collector
  namespace: openshift-logging
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: logging-collector:collect-infrastructure
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: collect-infrastructure-logs
subjects:
- kind: ServiceAccount
  name: logging-collector
  namespace: openshift-logging

Note

If you also want to collect audit logs, add an additional ClusterRoleBinding with the cluster role collect-audit-logs.

Click Create.

Navigate to Operators → Installed Operators. Select the Red Hat OpenShift Logging Operator, and under Provided APIs, find the ClusterLogForwarder resource and click Create Instance.

Select YAML view, and then use the following template to create a ClusterLogForwarder CR:

apiVersion: observability.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
spec:
  serviceAccount:
    name: logging-collector
  outputs:
  - name: lokistack-out
    type: lokiStack
    lokiStack:
      target:
        name: logging-loki
        namespace: openshift-logging
      authentication:
        token:
          from: serviceAccount
    tls:
      ca:
        key: service-ca.crt
        configMapName: openshift-service-ca.crt
  pipelines:
  - name: infra-app-logs
    inputRefs:
    - application
    - infrastructure
    outputRefs:
    - lokistack-out

Important

The tls.ca block is required. Without it, the collector pods fail to connect to the LokiStack gateway with a certificate verify failed error. The ClusterLogForwarder status might show Ready: True even when this block is missing.

Click Create.

Verification

In the ClusterLogForwarder tab, verify that you see your ClusterLogForwarder instance.
In the Status column, verify that you see the following conditions:
- observability.openshift.io/Authorized
- observability.openshift.io/Valid, Ready

6.5. Creating the log file metric exporter

Create a LogFileMetricExporter custom resource (CR) to generate metrics about the logs produced by running containers. The Operator does not deploy the exporter by default, so you must create it manually.

Note

If you do not create the LogFileMetricExporter CR, the Produced Logs field in the OpenShift Container Platform web console dashboard shows No datapoints found.

Prerequisites

You have administrator permissions.
Ensure that you installed the Red Hat OpenShift Logging Operator.
You have installed the OpenShift CLI (oc).

Procedure

Create a LogFileMetricExporter CR as a YAML file:
```
apiVersion: logging.openshift.io/v1alpha1
kind: LogFileMetricExporter
metadata:
  name: instance
  namespace: openshift-logging
spec:
  nodeSelector: {}
  resources:
    limits:
      cpu: 500m
      memory: 256Mi
    requests:
      cpu: 200m
      memory: 128Mi
  tolerations: []
```
spec.nodeSelector
Optional: Define the nodes that the exporter pods run on.
spec.resources
Optional: Define CPU and memory resource limits and requests for the exporter.
spec.tolerations
Optional: Define tolerations that the exporter pods accept.
Note
The LogFileMetricExporter is a singleton. The Operator only honors openshift-logging/instance for the namespace and name.
Run the following command to apply the LogFileMetricExporter CR:
```
$ oc apply -f <filename>.yaml
```

Verification

Run the following command to verify that the logfilesmetricexporter pods are running:

$ oc get pods -l app.kubernetes.io/component=logfilesmetricexporter \
  -n openshift-logging

Example output

NAME                           READY   STATUS    RESTARTS   AGE
logfilesmetricexporter-9qbjj   1/1     Running   0          2m46s
logfilesmetricexporter-cbc4v   1/1     Running   0          2m46s

A logfilesmetricexporter pod runs concurrently with a collector pod on each node.

6.6. Enabling the Logs tab in the web console

To view logs in the OpenShift Container Platform web console under Observe → Logs, you must install the Cluster Observability Operator and create a UIPlugin CR.

Note

The Cluster Observability Operator is required for console-based log visualization. Without it, you can only query logs by using the CLI or the Loki API directly.

Prerequisites

You installed the Loki Operator and the Red Hat OpenShift Logging Operator.

Procedure

Install the Cluster Observability Operator.
The COO installs into the openshift-operators namespace, which already has a pre-existing OperatorGroup. No additional namespace or OperatorGroup configuration is required.
Create a UIPlugin CR:
```
apiVersion: observability.openshift.io/v1alpha1
kind: UIPlugin
metadata:
  name: logging
spec:
  type: Logging
  logging:
    lokiStack:
      name: logging-loki
    logsLimit: 50
    timeout: 30s
    schema: otel
```
metadata.name
Set the name to logging.
spec.type
Set the type to Logging.
spec.logging.lokiStack.name
Must match the name of your LokiStack instance.
spec.logging.schema
Set to otel, viaq, or select. The default is viaq if no value is specified. When you select select, you can select the mode in the UI when you run a query.
Note
The following are known issues for the logging UI plugin (OU-587):
The schema feature is only supported in OpenShift Container Platform 4.15 and later. In earlier versions, the logging UI plugin uses only the viaq attribute, ignoring any other values that might be set.
Non-administrator users cannot query logs by using the otel attribute with logging versions 5.8 to 6.2. (LOG-6589)
Apply the UIPlugin CR by running the following command:
```
$ oc apply -f <filename>.yaml
```
Refresh the OpenShift Container Platform web console. Navigate to Observe → Logs to verify that the Logs tab is available. You can also view aggregated logs for individual pods from the Aggregated Logs tab on a pod’s detail page.

6.7. Verifying the logging installation

After completing all installation steps, verify that the complete logging pipeline is working.

Procedure

Check that collector pods are running on each node:
```
$ oc get pods -n openshift-logging -l app.kubernetes.io/component=collector
```
You should see one collector pod per node in your cluster.
Check the collector logs for errors:
```
$ oc logs -n openshift-logging -l app.kubernetes.io/component=collector --tail=20
```
Healthy output has only WARN messages about small files. If you see certificate verify failed, verify the tls.ca block in your ClusterLogForwarder.
Query logs from the web console:
Click to Observe → Logs and run the following query:
```
{log_type="infrastructure"}
```
You should see infrastructure log entries from your cluster.

6.8. Troubleshooting the logging installation

The following table lists common issues that you might get when installing logging and their solutions.

Symptom	Solution
`ResolutionFailed` on the Loki Operator subscription	Verify the channel name and source. Run `oc get packagemanifest loki-operator -n openshift-marketplace` to check available channels. Ensure `source: redhat-operators` (not the community catalog).
`certificate verify failed: self-signed certificate in certificate chain` in collector logs	Add the `tls.ca` block to your `ClusterLogForwarder` output, referencing `configMapName: openshift-service-ca.crt` with `key: service-ca.crt`.
`429 Too Many Requests` in collector logs	Normal during initial ingestion. The collector is flushing a backlog of accumulated logs. This typically resolves within minutes.
No Logs tab under Observe	Install the Cluster Observability Operator and create the `UIPlugin` CR. Both steps are required.
`ClusterLogForwarder` status shows `Ready: True` but no logs appear	Check the collector pod logs. The `ClusterLogForwarder` validation passes even when the collector cannot connect to LokiStack. The most common cause is a missing TLS CA configuration.

Additional resources

Chapter 7. Installing the COO

The Cluster Observability Operator provides log visualization in the OpenShift Container Platform web console. Install the COO if you want to view and query logs under Observe → Logs in the web console.

Note

The COO is optional. You can collect, store, and forward logs without it by using only the Loki Operator and Red Hat OpenShift Logging Operator. Install the COO only if you need the web console visualization feature.

7.1. Installing the COO by using the CLI

Install the Cluster Observability Operator to enable log visualization in the OpenShift Container Platform web console by using the OpenShift CLI (oc).

Prerequisites

You have administrator permissions.
You have installed the OpenShift CLI (oc).

Procedure

Create a Subscription object for the COO:
```
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: cluster-observability-operator
  namespace: openshift-operators
spec:
  channel: development
  installPlanApproval: Automatic
  name: cluster-observability-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
```
spec.channel
Specify development as the channel.
spec.namespace
The COO installs into the openshift-operators namespace, which already has a pre-existing OperatorGroup. No additional namespace or OperatorGroup configuration is required.
spec.source
Specify redhat-operators as the value. If your OpenShift Container Platform cluster is installed on a restricted network, specify the name of the CatalogSource object you created when you configured OLM.
Apply the Subscription object by running the following command:
```
$ oc apply -f <filename>.yaml
```
Verify that the operator installed successfully by running the following command:
```
$ oc get csv -n openshift-operators | grep cluster-observability
```
You get an output similar to the following example:
```
cluster-observability-operator.v0.4.2   Cluster Observability Operator   0.4.2   Succeeded
```

7.2. Installing the COO by using the web console

Install the Cluster Observability Operator to enable log visualization in the OpenShift Container Platform web console.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have access to the OpenShift Container Platform web console.

Procedure

In the OpenShift Container Platform web console, navigate to Operators → OperatorHub.
Type Cluster Observability Operator in the Filter by keyword box.
Select the Cluster Observability Operator tile and click Install.
On the Install Operator page:
1. Select development from the Update channel list.
2. Select openshift-operators from the Installed Namespace list.
  Note
  The COO must be installed in the openshift-operators namespace.
3. Select an Update approval strategy:
  - Automatic updates the Operator automatically when a new version is available.
  - Manual requires manual approval before updates are applied.
Click Install.

Verification

Navigate to Operators → Installed Operators.
Verify that the Cluster Observability Operator is listed with a status of Succeeded in the openshift-operators namespace.

7.3. Next steps

Enable the Logs tab in the web console

7.4. Additional resources

Installing the Loki Operator
Installing the Red Hat OpenShift Logging Operator
Cluster Observability Operator documentation

Chapter 8. Creating the LokiStack

Create a LokiStack custom resource (CR) to deploy the log store for application, audit, and infrastructure-related logs.

8.1. Prerequisites

You have installed the Loki Operator.
You have chosen an initial deployment size based on your cluster size. You will adjust the size after installation based on observed log volume.
You have configured object storage for LokiStack. See Configuring object storage for LokiStack.

Loki is a horizontally scalable, highly available, multi-tenant log aggregation system offered as a GA log store for logging for Red Hat OpenShift that can be visualized with the OpenShift Observability UI. The Loki configuration provided by OpenShift Logging is a short-term log store designed to enable users to perform fast troubleshooting with the collected logs. For that purpose, the logging for Red Hat OpenShift configuration of Loki has short-term storage, and is optimized for very recent queries.

Important

For long-term storage or queries over a long time period, users should look to log stores external to their cluster. Loki sizing is only tested and supported for short term storage, for a maximum of 30 days.

8.2. Creating a LokiStack custom resource by using the web console

You can create a LokiStack custom resource (CR) by using the OpenShift Container Platform web console.

Prerequisites

You have administrator permissions.
You have access to the OpenShift Container Platform web console.
You installed the Loki Operator.

Procedure

Go to the Operators → Installed Operators page. Click the All instances tab.
From the Create new drop-down list, select LokiStack.
Select YAML view, and then use the following template to create a LokiStack CR:
```
apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
  name: logging-loki 1
  namespace: openshift-logging
spec:
  size: 1x.small 2
  storage:
    schemas:
      - effectiveDate: '2023-10-15'
        version: v13
    secret:
      name: logging-loki-s3 3
      type: s3 4
      credentialMode: 5
  storageClassName: <storage_class_name> 6
  tenants:
    mode: openshift-logging
```
1
Use the name logging-loki.
2
Specify the deployment size. In the logging 5.8 and later versions, the supported size options for production instances of Loki are 1x.extra-small, 1x.small, or 1x.medium.
3
Specify the secret used for your log storage.
4
Specify the corresponding storage type.
5
Optional field, logging 5.9 and later. Supported user configured values are as follows: static is the default authentication mode available for all supported object storage types using credentials stored in a Secret. token for short-lived tokens retrieved from a credential source. In this mode the static configuration does not contain credentials needed for the object storage. Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and much more granular control. This authentication mode is not supported for all object storage types. token-cco is the default value when Loki is running on managed STS mode and using CCO on STS/WIF clusters.
6
Enter the name of a storage class for temporary storage. For best performance, specify a storage class that allocates block storage. Available storage classes for your cluster can be listed by using the oc get storageclasses command.

8.3. Fine grained access for Loki logs

The Red Hat OpenShift Logging Operator does not grant all users access to logs by default. As an administrator, you must configure your users' access unless the Operator was upgraded and prior configurations are in place. Depending on your configuration and need, you can configure fine grain access to logs using the following:

Cluster wide policies
Namespace scoped policies
Creation of custom admin groups

As an administrator, you need to create the role bindings and cluster role bindings appropriate for your deployment. The Red Hat OpenShift Logging Operator provides the following cluster roles:

cluster-logging-application-view grants permission to read application logs.
cluster-logging-infrastructure-view grants permission to read infrastructure logs.
cluster-logging-audit-view grants permission to read audit logs.

If you have upgraded from a prior version, an additional cluster role logging-application-logs-reader and associated cluster role binding logging-all-authenticated-application-logs-reader provide backward compatibility, allowing any authenticated user read access in their namespaces.

Note

Users with access by namespace must provide a namespace when querying application logs.

8.3.1. Cluster wide access

Cluster role binding resources reference cluster roles, and set permissions cluster wide.

Example ClusterRoleBinding

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: logging-all-application-logs-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-logging-application-view 1
subjects: 2
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

1: Additional ClusterRoles are cluster-logging-infrastructure-view, and cluster-logging-audit-view.
2: Specifies the users or groups this object applies to.

8.3.2. Namespaced access

RoleBinding resources can be used with ClusterRole objects to define the namespace a user or group has access to logs for.

Example RoleBinding

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: allow-read-logs
  namespace: log-test-0 1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-logging-application-view
subjects:
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: testuser-0

1: Specifies the namespace this RoleBinding applies to.

8.3.3. Custom admin group access

If you have a large deployment with several users who require broader permissions, you can create a custom group using the adminGroup field. Users who are members of any group specified in the adminGroups field of the LokiStack CR are considered administrators.

Administrator users have access to all application logs in all namespaces, if they also get assigned the cluster-logging-application-view role.

Example LokiStack CR

apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
  name: logging-loki
  namespace: openshift-logging
spec:
  tenants:
    mode: openshift-logging 1
    openshift:
      adminGroups: 2
      - cluster-admin
      - custom-admin-group 3

1: Custom admin groups are only available in this mode.
2: Entering an empty list [] value for this field disables admin groups.
3: Overrides the default groups (system:cluster-admins, cluster-admin, dedicated-admin)

8.4. Creating a new group for the cluster-admin user role

Important

Querying application logs for multiple namespaces as a cluster-admin user, where the sum total of characters of all of the namespaces in the cluster is greater than 5120, results in the error Parse error: input size too long (XXXX > 5120). For better control over access to logs in LokiStack, make the cluster-admin user a member of the cluster-admin group. If the cluster-admin group does not exist, create it and add the desired users to it.

Use the following procedure to create a new group for users with cluster-admin permissions.

Procedure

Enter the following command to create a new group:
```
$ oc adm groups new cluster-admin
```
Enter the following command to add the desired user to the cluster-admin group:
```
$ oc adm groups add-users cluster-admin <username>
```
Enter the following command to add cluster-admin user role to the group:
```
$ oc adm policy add-cluster-role-to-group cluster-admin cluster-admin
```

8.5. Additional resources

Legal Notice

Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.

The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.

All other trademarks are the property of their respective owners.