Skip to content

OSDOCS-12691 [ROSA] New Feature: Log Forwarder #104758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jc-berger wants to merge 5 commits into
base: main
Choose a base branch
from
Open

OSDOCS-12691 [ROSA] New Feature: Log Forwarder #104758

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
50fcc3b
ROSA-12691 New Feature: Log Forwarder
jc-berger Jan 13, 2026
421afd7
spacing to help titles
jc-berger Jan 13, 2026
381f0e9
dev, dec, and pm feedback
jc-berger Jan 15, 2026
49ecc34
dev feedback
jc-berger Jan 16, 2026
9c385c9
added list of applications for log groups
jc-berger Jan 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions _topic_maps/_topic_map_rosa_hcp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -481,6 +481,8 @@ Distros: openshift-rosa-hcp
Topics:
- Name: Adding additional constraints for IP-based AWS role assumption
File: rosa-adding-additional-constraints-for-ip-based-aws-role-assumption
- Name: Forwarding control plane logs
File: rosa-forwarding-control-plane-logs
---
Name: Authentication and authorization
Dir: authentication
Expand Down
44 changes: 44 additions & 0 deletions modules/rosa-create-an-iam-role-policy.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
// Module included in the following assemblies:
//
// * security/rosa-forwarding-control-plane-logs.adoc
:_mod-docs-content-type: PROCEDURE
[id="rosa-create-an-iam-role-policy_{context}"]
= Creating an IAM role and policy

When you send your logs to a CloudWatch group or S3 bucket, those locations exist outside your control plane. You must create an IAM role and policy so that your log forwarder has the right permissions and capabilities to send these logs to your chosen destination, CloudWatch or S3.

.Procedure

. To enable the log forwarder delivery capability, prepare the IAM policy by creating an `assume-role-policy.json` file. Apply the following JSON sample:
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apply the following JSON sample:

It is not just a JSON sample, it is an actual IAM policy.

+
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::859037107838:role/ROSA-CentralLogDistributionRole-241c1a86"
},
"Action": "sts:AssumeRole"
}
]
}
----
+
. To enable the log forwarder distribution capability, create an IAM role that must include the `CustomerLogDistribution` name by running the following command:
+
[source,terminal]
----
$ aws iam create-role \
--role-name CustomerLogDistribution-RH \
--assume-role-policy-document file://assume-role-policy.json
----

.Next steps
Copy link
Contributor Author

@jc-berger jc-berger Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bhardesty and @willkutler Aarin and I discussed about making it clear to users that they must set up cloudwatch OR S3, and how they can't do both.

What do you all think about this user flow how as a "next step" users are prompting to selecting one course of action and are given a link to jump them to that specific procedure?

William, am I correct about the benefits of CloudWatch and S3? What I wrote is what I obtained through my research.

Copy link

@willkutler willkutler Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to clarify, users can only select cloudwatch or s3 for each log forwarder, but they can configure both (and we explicitly allow them to in the ROSA CLI interactive flow) - it just requires two log forwarders, one for s3 and one for CW.

as for the benefits of each that looks ok to me but would have Aaren sign off on it

Copy link
Contributor Author

@jc-berger jc-berger Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@willkutler cool, thanks, I state now that they can do both, but they can also choose. It's good we provide the benefit of both types so they know if they only want to do one, or both, depending on their logging needs!

Copy link
Contributor

@bhardesty bhardesty Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jc-berger I think this makes sense; however, it might be a bit tricky to implement for a couple reasons:

  • Xrefs are only allowed in assemblies, not modules. So these xrefs would need to be moved to the assembly.
  • The .Additional resources section in an assembly can only include the xref target and name. You can't include any text outside of that.
  • Due to DITA pre-migration requirements, assemblies can't include any "Next steps" sections. So you can't just move this entire section to the assembly.

To work around these issues, I think you'll need to do the following:

  1. Keep the .Next steps section in the module, with all of the explanation about the two options. Remove the xrefs.
  2. In "Setting up the CloudWatch log group" and "Setting up the S3 bucket", explain why you would choose that particular option.

If you really want to include xrefs to these procedures, the only way to do it is at the assembly level as "additional resources". I'd suggest not bothering with that, because I think it will look fairly redundant (there will be links pointing to the very next procedure). However, if you do want to try this, you'd need to add this to the assembly:

...
include::modules/rosa-create-an-iam-role-policy.adoc[leveloffset=+1]

[role="_additional-resources"]
[id="additional-resources_rosa-configuring-the-log-forwarder"]
.Additional resources

* xref:../modules/rosa-set-up-cloudwatch-log-group.adoc#rosa-set-up-cloudwatch-log-group[Setting up the CloudWatch log group]
* xref:../modules/rosa-set-up-s3-bucket.adoc#rosa-set-up-s3-bucket[Setting up the S3 bucket]
...


After you create an IAM role and policy, you must decide to send your control plane logs to either a CloudWatch log group, a S3 bucket, or both:

* CloudWatch is typically more expensive than S3. CloudWatch is recommended when you have logs requiring immediate action or organization. To set up CloudWatch, complete the following documentation: xref:../modules/rosa-set-up-cloudwatch-log-group.adoc#rosa-set-up-cloudwatch-log-group[Setting up the CloudWatch log group].
* S3 is typically less expensive than CloudWatch. S3 is recommended when you have logs needing long-term storage or large-scale data analysis. To set up CloudWatch, complete the following documentation: xref:../modules/rosa-set-up-s3-bucket.adoc#rosa-set-up-s3-bucket[Setting up the S3 bucket].
Copy link
Contributor

@bhardesty bhardesty Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* S3 is typically less expensive than CloudWatch. S3 is recommended when you have logs needing long-term storage or large-scale data analysis. To set up CloudWatch, complete the following documentation: xref:../modules/rosa-set-up-s3-bucket.adoc#rosa-set-up-s3-bucket[Setting up the S3 bucket].
* S3 is typically less expensive than CloudWatch. S3 is recommended when you have logs needing long-term storage or large-scale data analysis. To set up S3, complete the following documentation: xref:../modules/rosa-set-up-s3-bucket.adoc#rosa-set-up-s3-bucket[Setting up the S3 bucket].

14 changes: 14 additions & 0 deletions modules/rosa-manage-control-plane-log-forwarding.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
// Module included in the following assemblies:
//
// * security/rosa-configuring-the-log-forwarder.adoc
:_mod-docs-content-type: REFERENCE
[id="rosa-manage-control-plane-log-forwarding.adoc_{context}"]
= Managing control plane log forwarding

After you configure the {product-title} clusters to use your selected log forwarder for managing control plane logs, see the following commands to run based on your specific needs. For all of these commands, you must provide the `clusterid` in the `--cluster` flag:
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

selected log forwarder for managing control plane logs

to

selected log forwarder for control plane logs

Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clusterid in the --cluster flag

to

clusterid or cluster name in the --cluster flag


* `rosa create log-forwarder -c <cluster_name|cluster_id>` Configures your ROSA cluster to use the log forwarder.
* `rosa list log-forwarder -c <cluster_name|cluster_id>`: Displays all the log forwarder configurations attributed to that ROSA cluster.
* `rosa describe log-forwarder -c <cluster_name|cluster_id> <log-fwd-id>`: Provides more than the basic details for that specific log forwarder.
* `rosa edit log-forwarder -c <cluster_name|cluster_id> <log-fwd-id>`: Enables you to make changes to the log forwarder.
* `rosa delete log-forwarder -c <cluster_name|cluster_id> <log-fwd-id>`: Deletes the log forwarder for all specified ROSA clusters.
84 changes: 84 additions & 0 deletions modules/rosa-set-up-cloudwatch-log-group.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
// Module included in the following assemblies:
//
// * security/rosa-forwarding-control-plane-logs.adoc
:_mod-docs-content-type: PROCEDURE
[id="rosa-set-up-cloudwatch-log-group.adoc_{context}"]
= Setting up the CloudWatch log group

Set up the CloudWatch log group for the log forwarder to send logs to by completing the following steps:

.Procedure

. Create the CloudWatch log group by running the following command:
+
[source,terminal]
----
$ aws logs create-log-group –log-group-name <your_log_group_name>
----
+
. Go to your chosen ROSA cluster and configure the log forwarder to use the CloudWatch log group by applying the following JSON sample:
+
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreatePutLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "<your_log_group_arn>:*"
},
{
"Sid": "DescribeLogs",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
}
]
}
----
+
. Attached the policy to the CloudWatch role by running the following command:
+
[source,terminal]
----
$ aws iam put-role-policy \
--role-name CustomerLogDistribution-RH \
--policy-name Allow-CloudWatch-Writes \
--policy-document file://cloudwatch-policy.json
----
+
. Enable the log forwarder to send logs to your ROSA cluster.
.. To create a new cluster for the log forwarder, run the following command:
+
[source,terminal]
----
$ rosa create cluster --log-fwd-config="<path_to_file>.yaml"
----
+
.. To use an existing cluster, run the following command:
+
[source,terminal]
----
$ rosa create log-forwarder -c <cluster> --log-fwd-config="<path_to_file>.yaml"
----
+
. Configure your ROSA cluster to access logs from the CloudWatch log group by applying the following YAML sample:
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean the feature pulls logs from Cloudwatch that it just forwarded to Cloudwatch?

@jc-berger @willkutler

+
[source,yaml]
----
cloudwatch:
cloudwatch_log_role_arn: "arn:aws:iam::123456789012:role/RosaCloudWatch"
cloudwatch_log_group_name: "rosa-logs"
applications: "<your chosen application>"
groups: "<your chosen log group>"
----
.. For the `applications` property, you can choose any application, for example, `cluster-api`.
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the applications property, you can choose any application, for example, cluster-api.

What are all the applications I can use here? Are they specific to each group or common across all groups?

.. For the `groups` property, you can choose any of the following: `API`, `Authentication`, `Controller Manager`, `Scheduler`, and `Other`.
81 changes: 81 additions & 0 deletions modules/rosa-set-up-s3-bucket.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
// Module included in the following assemblies:
//
// * security/rosa-forwarding-control-plane-logs.adoc
:_mod-docs-content-type: PROCEDURE
[id="rosa-set-up-s3-bucket.adoc_{context}"]
= Setting up the S3 bucket

Set up the S3 bucket for the log forwarder to send logs to by completing the following steps:

.Procedure

. Create the S3 bucket by running the following command:
+
[source,terminal]
----
$ aws s3api create-bucket \
--bucket <your_s3_bucket_name> \
--region <your_aws_region> \
--create-bucket-configuration LocationConstraint=<cluster_aws_region>
----
+
. Configure the policy for the S3 bucket by applying the following JSON sample:
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JSON sample

it is a S3 bucket policy, not a JSON sample.

+
[source,json]
----
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCentralLogDistributionWrite",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::859037107838:role/ROSA-CentralLogDistributionRole-241c1a86"
Copy link

@felixkrohn felixkrohn Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we have an IAM role that is assumed by arn:aws:iam::859037107838:role/ROSA-CentralLogDistributionRole-241c1a86, shouldn't the principal here be the ARN of the newly created IAM-role?

Copy link
Contributor Author

@jc-berger jc-berger Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@felixkrohn thanks! I looked at the ARN that we provided in the "creating an iam role" section, and it looks the same as the one here. Unless you see something I don't?

Here's the IAM role ARN:

"Principal": {
"AWS": "arn:aws:iam::859037107838:role/ROSA-CentralLogDistributionRole-241c1a86"

Copy link

@felixkrohn felixkrohn Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jc-berger Yes, it's maybe more of an question regarding architecture than pure docs - feel free to tag anyone else who might be able to chip in here.

From my understanding:

  • When in my AWS Account X I provide an IAM role X:Y
  • which is then assumed by 859037107838:role/ROSA-CentralLogDistributionRole-241c1a86,
  • all further accesses within my Account X would then appear as issued by X:Y

consequently, my bucket policy should control accesses by X:Y and not by 859037107838:role/ROSA-CentralLogDistributionRole-241c1a86?

However, I noticed that the IAM role has never been assumed by anyone in my S3-only case, and audit logging only works when the bucket policy is set up as currently described in the documentation. Which is fine as well, but in that (S3) case the IAM part could be skipped?

(UNLESS I enable S3 bucket encryption using SSE-KMS, in which case this mechanism fails.)

Copy link
Contributor Author

@jc-berger jc-berger Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@felixkrohn thanks for the follow up and explanation!

@willkutler could you help here?

To me, if the ARN lines up with one another, I thought we were good, so not sure where to move forward here.

Copy link

@willkutler willkutler Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@psav may be a better person to ask about this - I'm more familiar with the customer facing API/CLI side rather than how the roles are used. In any case, the way we should document here is the way they are intended to be set up for use with log forwarding, which the existing doc explains correctly

},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<your_s3_bucket_name>/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
----
+
. Attached the policy to the S3 role by running the following command:
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attach

+
[source,terminal]
----
$ aws s3api put-bucket-policy \
--bucket <your_s3_bucket_name> \
--policy file://s3-bucket-policy.json
----
+
. Enable the log forwarder to send logs to your ROSA cluster.
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question as earlier... Is the feature sending logs from S3 to the cluster?

.. To create a new cluster for the log forwarder, run the following command:
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds like I must create a new cluster for the log forwarder.
Could this become:

"To enable control plane log forwarding on a new cluster, include the log-fwd-config as shown:"
?

+
[source,terminal]
----
$ rosa create cluster --log-fwd-config="<path_to_file>.yaml"
----
+
.. To use an existing cluster, run the following command:
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following the last comment, could this become:

"To enable control plane log forwarding on an existing cluster, include the log-fwd-config as shown:"

+
[source,terminal]
----
$ rosa create log-forwarder -c <cluster> --log-fwd-config="<path_to_file>.yaml"
----
+
. Configure your ROSA cluster to access logs from the S3 bucket by applying the following YAML sample:
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same question as before... is the feature shipping logs from S3 to the cluster?

+
[source,yaml]
----
s3:
s3_config_bucket_name: "my-log-bucket"
s3_config_bucket_prefix: "my-bucket-prefix"
applications: "<your chosen application>"
groups: "<your chosen log group>"
----
.. For the `applications` property, you can choose any application, for example, `cluster-api`.
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as with Cloudwatch earlier.. what are the applications? are they specific to a group or global?

.. For the `groups` property, you can choose any of the following: `API`, `Authentication`, `Controller Manager`, `Scheduler`, and `Other`.
96 changes: 96 additions & 0 deletions security/rosa-forwarding-control-plane-logs.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
:_mod-docs-content-type: ASSEMBLY
[id="rosa-forwarding-control-plane-logs_{context}"]
= Forwarding control plane logs

include::_attributes/attributes-openshift-dedicated.adoc[]
include::_attributes/common-attributes.adoc[]
:context: rosa-configuring-the-log-forwarder

toc::[]

[role="_abstract"]
With {product-title} you have a control plane log forwarder that is a separate system outside your cluster. You can use the control plane log forwarder to send your logs to either a CloudWatch group or S3 bucket, depending on your preference.

If you build the control plane logs yourself, you must make log forwarding part of the workloads in your cluster. Since the {product-title} log forwarder is in a control plane outside your cluster, it does not take up space or consume resources in your cluster. The {product-title} log forwarder gives your workloads and cluster more bandwidth, making your development processes simpler.
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it does not take up space or consume resources in your cluster.

maybe instead:

it does not contend with resources in your cluster.

Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The {product-title} log forwarder gives your workloads and cluster more bandwidth, making your development processes simpler.

It does not give more bandwidth. Please remove this sentence.


*IMPORTANT:* When you forward control plane logs, you must decide on what log groups you want to use. Log groups cost money, so the more log groups you have, the more money you spend. See the following table to help you decide what log groups you need before you begin to forward your control plane logs:
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you forward control plane logs, you must decide on what log..

should be

When you forward control plane logs to Cloudwatch, you must decide on what log..


|====
| Log group name| Benefit of that log group| Applications available for that log group

| API
Copy link
Contributor Author

@jc-berger jc-berger Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@willkutler I researched all the log groups, so please let me know if my description of their benefits are good.

I don't have to keep the redundant structure of "Helps..." I simply didn't want to guarantee anything and didn't think repetition is bad in a table. But let me know what you think!

Copy link

@willkutler willkutler Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@psav could you take a look at the group descriptions since I believe you originally set up the groups on the api gateway?

@jc-berger a couple thoughts on the structure here:

  • "All" is not a group that can be set, users would need to list all the groups to get the logs from all of them
  • "Other" is a group containing all logs not in the 4 groups listed here that should probably be mentioned
  • do we want to list the applications contained in each group in the docs? maybe more of a question for Aaren

Copy link
Contributor Author

@jc-berger jc-berger Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@psav and @willkutler I made the change to include "other" Please let me know how these descriptions look.

And yes, I'll need additional insight from Aaren if we're including a list of applications contained in each of these log groups.

Copy link
Contributor Author

@jc-berger jc-berger Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a list of applications to the table, thank you, William!

I think it's great info for users. Something to consider: the table is now very long. Combining the table with the introductory content, the whole introduction is definitely on the long side before users begin the procedures, the actual action steps.

A long introduction isn't necessarily bad, but I did want to bring it up as we continue to iterate and improve.

@bhardesty tagging you too in case you have opinions about the table and intro/abstract

Copy link

@willkutler willkutler Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Aaren's comment in slack on the length, I think it's best to give customers all the info

Copy link
Contributor

@bhardesty bhardesty Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jc-berger This does seem like important information to include. I suggest moving the table and the paragraph that introduces it to a reference module, and calling it something like, "Determining which log groups to use".

| Records every request made to the cluster. Helps security by detecting unauthorized access attempts.
a|
* `audit-webhook`
* `kube-apiserver`
* `oauth-openshift`
* `openshift-apiserver`
* `openshift-oauth-apiserver`
* `packageserver`
* `validation-webhook`

| Authentication
| Tracks login attempts and requests for tokens. Helps you access the cluster even if your `oc login` does not work.
Copy link
Contributor

@arendej arendej Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Helps you access the cluster even if your oc login does not work.

this does not make sense here.

a|
* `ignition-server`
* `konnectivity-agent`

| Controller manager
| Monitors the controllers that watch the state of your clusters. Helps explain the difference between the actual state of your cluster and your desired state for it.
a|
* `aws-ebs-csi-driver-controller`
* `capi-provider-controller-manager`
* `catalog-operator`
* `cloud-controller-manager`
* `cloud-credential-operator`
* `cloud-network-config-controller`
* `cluster-network-operator`
* `cluster-node-tuning-operator`
* `cluster-policy-controller`
* `cluster-version-operator`
* `control-plane-operator`
* `control-plane-pki-operator`
* `csi-snapshot-controller-operator`
* `csi-snapshot-controller`
* `dns-operator`
* `hosted-cluster-config-operator`
* `ingress-operator`
* `kube-controller-manager`
* `machine-approver`
* `multus-admission-controller`
* `network-node-identity`
* `olm-operator`
* `openshift-controller-manager`
* `openshift-route-controller-manager`
* `ovnkube-control-plane`

| Scheduler
| Records the placement of each pod on every node. Helps you understand why pods are stuck in a `Pending` state.
a|
* `kube-scheduler`

| Other
| Any log group different than `API`, `Authentication`, `Controller manager`, or `Scheduler`.
a|
* `certified-operators-catalog`
* `cluster-api`
* `community-operators-catalog`
* `etcd`
* `private-router`
* `redhat-marketplace-catalog`
* `redhat-operators-catalog`
|====

[id="prerequisites_{context}"]
== Prerequisites

* You have installed and configured the latest {rosa-cli} on your installation host.

include::modules/rosa-create-an-iam-role-policy.adoc[leveloffset=+1]

include::modules/rosa-set-up-cloudwatch-log-group.adoc[leveloffset=+1]

include::modules/rosa-set-up-s3-bucket.adoc[leveloffset=+1]

include::modules/rosa-manage-control-plane-log-forwarding.adoc[leveloffset=+1]