mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
65 lines
2.4 KiB
Plaintext
65 lines
2.4 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * observability/logging/log_collection_forwarding/configuring-log-forwarding.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="logging-forward-splunk_{context}"]
|
|
= Forwarding logs to Splunk
|
|
|
|
You can forward logs to the link:https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/UsetheHTTPEventCollector[Splunk HTTP Event Collector (HEC)] in addition to, or instead of, the internal default {product-title} log store.
|
|
|
|
[NOTE]
|
|
====
|
|
Using this feature with Fluentd is not supported.
|
|
====
|
|
|
|
.Prerequisites
|
|
* {clo} 5.6 or later
|
|
* A `ClusterLogging` instance with `vector` specified as the collector
|
|
* Base64 encoded Splunk HEC token
|
|
|
|
.Procedure
|
|
|
|
. Create a secret using your Base64 encoded Splunk HEC token.
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc -n openshift-logging create secret generic vector-splunk-secret --from-literal hecToken=<HEC_Token>
|
|
----
|
|
+
|
|
. Create or edit the `ClusterLogForwarder` Custom Resource (CR) using the template below:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: logging.openshift.io/v1
|
|
kind: ClusterLogForwarder
|
|
metadata:
|
|
name: <log_forwarder_name> <1>
|
|
namespace: <log_forwarder_namespace> <2>
|
|
spec:
|
|
serviceAccountName: <service_account_name> <3>
|
|
outputs:
|
|
- name: splunk-receiver <4>
|
|
secret:
|
|
name: vector-splunk-secret <5>
|
|
type: splunk <6>
|
|
url: <http://your.splunk.hec.url:8088> <7>
|
|
pipelines: <8>
|
|
- inputRefs:
|
|
- application
|
|
- infrastructure
|
|
name: <9>
|
|
outputRefs:
|
|
- splunk-receiver <10>
|
|
----
|
|
<1> In legacy implementations, the CR name must be `instance`. In multi log forwarder implementations, you can use any name.
|
|
<2> In legacy implementations, the CR namespace must be `openshift-logging`. In multi log forwarder implementations, you can use any namespace.
|
|
<3> The name of your service account. The service account is only required in multi log forwarder implementations if the log forwarder is not deployed in the `openshift-logging` namespace.
|
|
<4> Specify a name for the output.
|
|
<5> Specify the name of the secret that contains your HEC token.
|
|
<6> Specify the output type as `splunk`.
|
|
<7> Specify the URL (including port) of your Splunk HEC.
|
|
<8> Specify which log types to forward by using the pipeline: `application`, `infrastructure`, or `audit`.
|
|
<9> Optional: Specify a name for the pipeline.
|
|
<10> Specify the name of the output to use when forwarding logs with this pipeline.
|