OCPBUGS-59523 - Update installation-usage.md to clarify audit log location

BhargaviGudi · saschagrunert · commit 7b7a517f7282 · 2025-10-14T09:27:42.000+02:00
OCPBUGS-59523 - Updated indentaion
diff --git a/installation-usage.md b/installation-usage.md
@@ -1009,11 +1009,27 @@ To enable a single pod log the activity following these steps:
    kubectl apply -f my-pod.yaml
    ```
 5. **Monitor the Audit Logs:**
-   
-   To monitor the audit log tail:
+
+   There are two ways to monitor audit logs generated by the json-enricher container:
+
+   a. To monitor the audit log tail:
    ```shell
    kubectl -n security-profiles-operator logs --since=1m --selector name=spod -c json-enricher --max-log-requests 6 -f
    ```
+   b. To monitor the audit log file:
+  
+   The audit log file specified in the auditLogPath is written to the node's file system where the pod is running. To monitor or inspect the audit logs, you must access the node directly and check the file at the   specified path (e.g., `/tmp/logs/audit1.log`).
+   
+   To monitor or inspect the audit logs, you need to:
+   1. Identify the node on which the pod is scheduled:
+   ```shell
+   kubectl get pod my-pod -o wide
+   ```
+   2. SSH to a node and view the audit log:
+   ```shell
+   sudo ssh core@<node-name>
+   cat /tmp/logs/audit1.log
+   ```
 By following above steps, you can enable and monitor audit logs in JSON lines format for your Kubernetes pods, 
 giving you better visibility into their activities.
 
