From c7ff5314e571fc7027161c72f9c4a9b30fb512c4 Mon Sep 17 00:00:00 2001 From: Tian Feng Date: Fri, 22 May 2026 13:48:17 -0700 Subject: [PATCH 1/4] docs(policy-activity): note that Log action rules are not tracked Add a limitation entry clarifying that action: Log rules do not appear in policy activity logs since the Log action is outside the policy evaluation scope. Co-Authored-By: Claude Opus 4.6 --- .../version-3.23-1/observability/elastic/policy-activity.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx index 6291fd2521..e37d03b5fd 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx @@ -117,3 +117,4 @@ Compare the output from the steps above to identify unused resources: - **Logs require traffic**: Policy activity logs are only generated when a rule is evaluated by traffic. Resources that have never been hit will not appear in these logs. You cannot identify them by querying for "old" logs; you must identify them by their absence from the active log data (as performed in the comparison steps above). - **Long-lived connections**: A policy evaluation is logged only when a connection is established. If a connection remains open for a long duration (e.g., longer than your 90-day query window), the associated policy may not generate new logs, potentially making it appear "unused" despite actively carrying traffic. +- **Log action rules are not tracked**: Rules with `action: Log` are not recorded in policy activity logs. The `Log` action is a diagnostic tool that writes to the kernel log (iptables) or trace pipe (eBPF); it is not part of the policy evaluation scope tracked by policy activity. Only terminal actions (`Allow`, `Deny`, `Pass`) and their associated rules appear in policy activity logs. From b2bc490ff6428ae16a7e9fd93df7578e5a42d27a Mon Sep 17 00:00:00 2001 From: Tian Feng Date: Fri, 22 May 2026 14:22:10 -0700 Subject: [PATCH 2/4] fix(docs): move Log action limitation to correct doc file Move the Log action note from the versioned 3.23-1 policy-activity.mdx to the current review-unused-network-policies.mdx where it belongs. Co-Authored-By: Claude Opus 4.6 --- .../observability/review-unused-network-policies.mdx | 1 + .../version-3.23-1/observability/elastic/policy-activity.mdx | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/calico-enterprise/observability/review-unused-network-policies.mdx b/calico-enterprise/observability/review-unused-network-policies.mdx index fd29e36db0..69c22e2483 100644 --- a/calico-enterprise/observability/review-unused-network-policies.mdx +++ b/calico-enterprise/observability/review-unused-network-policies.mdx @@ -19,6 +19,7 @@ As your cluster grows, stale or unnecessary network policies and rules can accum **Limitations** - Policy activity data is not displayed for managed clusters running a version older than this release. +- Rules with `action: Log` are not tracked by policy activity. The `Log` action is a diagnostic tool that writes to the kernel log (iptables) or trace pipe (eBPF); it is not part of the policy evaluation scope. Only terminal actions (`Allow`, `Deny`, `Pass`) and their associated rules appear in policy activity data. ## View policy activity in the Manager UI diff --git a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx index e37d03b5fd..6291fd2521 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx @@ -117,4 +117,3 @@ Compare the output from the steps above to identify unused resources: - **Logs require traffic**: Policy activity logs are only generated when a rule is evaluated by traffic. Resources that have never been hit will not appear in these logs. You cannot identify them by querying for "old" logs; you must identify them by their absence from the active log data (as performed in the comparison steps above). - **Long-lived connections**: A policy evaluation is logged only when a connection is established. If a connection remains open for a long duration (e.g., longer than your 90-day query window), the associated policy may not generate new logs, potentially making it appear "unused" despite actively carrying traffic. -- **Log action rules are not tracked**: Rules with `action: Log` are not recorded in policy activity logs. The `Log` action is a diagnostic tool that writes to the kernel log (iptables) or trace pipe (eBPF); it is not part of the policy evaluation scope tracked by policy activity. Only terminal actions (`Allow`, `Deny`, `Pass`) and their associated rules appear in policy activity logs. From c15da82ef3a7a94e26a55a34fad842fd9f018015 Mon Sep 17 00:00:00 2001 From: Tian Feng Date: Fri, 22 May 2026 14:23:29 -0700 Subject: [PATCH 3/4] Revert "fix(docs): move Log action limitation to correct doc file" This reverts commit b2bc490ff6428ae16a7e9fd93df7578e5a42d27a. --- .../observability/review-unused-network-policies.mdx | 1 - .../version-3.23-1/observability/elastic/policy-activity.mdx | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/calico-enterprise/observability/review-unused-network-policies.mdx b/calico-enterprise/observability/review-unused-network-policies.mdx index 69c22e2483..fd29e36db0 100644 --- a/calico-enterprise/observability/review-unused-network-policies.mdx +++ b/calico-enterprise/observability/review-unused-network-policies.mdx @@ -19,7 +19,6 @@ As your cluster grows, stale or unnecessary network policies and rules can accum **Limitations** - Policy activity data is not displayed for managed clusters running a version older than this release. -- Rules with `action: Log` are not tracked by policy activity. The `Log` action is a diagnostic tool that writes to the kernel log (iptables) or trace pipe (eBPF); it is not part of the policy evaluation scope. Only terminal actions (`Allow`, `Deny`, `Pass`) and their associated rules appear in policy activity data. ## View policy activity in the Manager UI diff --git a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx index 6291fd2521..e37d03b5fd 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/policy-activity.mdx @@ -117,3 +117,4 @@ Compare the output from the steps above to identify unused resources: - **Logs require traffic**: Policy activity logs are only generated when a rule is evaluated by traffic. Resources that have never been hit will not appear in these logs. You cannot identify them by querying for "old" logs; you must identify them by their absence from the active log data (as performed in the comparison steps above). - **Long-lived connections**: A policy evaluation is logged only when a connection is established. If a connection remains open for a long duration (e.g., longer than your 90-day query window), the associated policy may not generate new logs, potentially making it appear "unused" despite actively carrying traffic. +- **Log action rules are not tracked**: Rules with `action: Log` are not recorded in policy activity logs. The `Log` action is a diagnostic tool that writes to the kernel log (iptables) or trace pipe (eBPF); it is not part of the policy evaluation scope tracked by policy activity. Only terminal actions (`Allow`, `Deny`, `Pass`) and their associated rules appear in policy activity logs. From c19813189eab951108ed41fc6bbcd02389ef1c1a Mon Sep 17 00:00:00 2001 From: Tian Feng Date: Fri, 22 May 2026 14:23:46 -0700 Subject: [PATCH 4/4] docs: add Log action limitation to review-unused-network-policies Co-Authored-By: Claude Opus 4.6 --- .../observability/review-unused-network-policies.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/calico-enterprise/observability/review-unused-network-policies.mdx b/calico-enterprise/observability/review-unused-network-policies.mdx index fd29e36db0..69c22e2483 100644 --- a/calico-enterprise/observability/review-unused-network-policies.mdx +++ b/calico-enterprise/observability/review-unused-network-policies.mdx @@ -19,6 +19,7 @@ As your cluster grows, stale or unnecessary network policies and rules can accum **Limitations** - Policy activity data is not displayed for managed clusters running a version older than this release. +- Rules with `action: Log` are not tracked by policy activity. The `Log` action is a diagnostic tool that writes to the kernel log (iptables) or trace pipe (eBPF); it is not part of the policy evaluation scope. Only terminal actions (`Allow`, `Deny`, `Pass`) and their associated rules appear in policy activity data. ## View policy activity in the Manager UI