diff --git a/calico-enterprise/observability/review-unused-network-policies.mdx b/calico-enterprise/observability/review-unused-network-policies.mdx index fd29e36db0..69c22e2483 100644 --- a/calico-enterprise/observability/review-unused-network-policies.mdx +++ b/calico-enterprise/observability/review-unused-network-policies.mdx @@ -19,6 +19,7 @@ As your cluster grows, stale or unnecessary network policies and rules can accum **Limitations** - Policy activity data is not displayed for managed clusters running a version older than this release. +- Rules with `action: Log` are not tracked by policy activity. The `Log` action is a diagnostic tool that writes to the kernel log (iptables) or trace pipe (eBPF); it is not part of the policy evaluation scope. Only terminal actions (`Allow`, `Deny`, `Pass`) and their associated rules appear in policy activity data. ## View policy activity in the Manager UI diff --git a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx index 6291fd2521..e37d03b5fd 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx @@ -117,3 +117,4 @@ Compare the output from the steps above to identify unused resources: - **Logs require traffic**: Policy activity logs are only generated when a rule is evaluated by traffic. Resources that have never been hit will not appear in these logs. You cannot identify them by querying for "old" logs; you must identify them by their absence from the active log data (as performed in the comparison steps above). - **Long-lived connections**: A policy evaluation is logged only when a connection is established. If a connection remains open for a long duration (e.g., longer than your 90-day query window), the associated policy may not generate new logs, potentially making it appear "unused" despite actively carrying traffic. +- **Log action rules are not tracked**: Rules with `action: Log` are not recorded in policy activity logs. The `Log` action is a diagnostic tool that writes to the kernel log (iptables) or trace pipe (eBPF); it is not part of the policy evaluation scope tracked by policy activity. Only terminal actions (`Allow`, `Deny`, `Pass`) and their associated rules appear in policy activity logs.