diff --git a/services/keycloak/logs-oidc-secret-ensure-job.yaml b/services/keycloak/logs-oidc-secret-ensure-job.yaml
index 9550d8b..11d48f9 100644
--- a/services/keycloak/logs-oidc-secret-ensure-job.yaml
+++ b/services/keycloak/logs-oidc-secret-ensure-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: logs-oidc-secret-ensure-1
+  name: logs-oidc-secret-ensure-2
   namespace: sso
 spec:
   backoffLimit: 0
@@ -74,10 +74,17 @@ spec:
               fi
 
               if kubectl -n logging get secret oauth2-proxy-logs-oidc >/dev/null 2>&1; then
-                exit 0
+                current_cookie="$(kubectl -n logging get secret oauth2-proxy-logs-oidc -o jsonpath='{.data.cookie_secret}' 2>/dev/null || true)"
+                if [ -n "${current_cookie}" ]; then
+                  decoded="$(printf '%s' "${current_cookie}" | base64 -d 2>/dev/null || true)"
+                  length="$(printf '%s' "${decoded}" | wc -c | tr -d ' ')"
+                  if [ "${length}" = "16" ] || [ "${length}" = "24" ] || [ "${length}" = "32" ]; then
+                    exit 0
+                  fi
+                fi
               fi
 
-              COOKIE_SECRET="$(openssl rand -base64 32 | tr -d '\n')"
+              COOKIE_SECRET="$(openssl rand -hex 16 | tr -d '\n')"
               kubectl -n logging create secret generic oauth2-proxy-logs-oidc \
                 --from-literal=client_id="logs" \
                 --from-literal=client_secret="${CLIENT_SECRET}" \