openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
b4623ecb5d2bd85563c440057bf192088c1e2c64
openshift-docs/modules/logging-forward-splunk.adoc
Satyajeet Munje cc94fd4ee0 OBSDOCS-693
2024-04-24 18:11:38 +00:00

65 lines
2.4 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * observability/logging/log_collection_forwarding/configuring-log-forwarding.adoc
:_mod-docs-content-type: PROCEDURE
[id="logging-forward-splunk_{context}"]
= Forwarding logs to Splunk
You can forward logs to the link:https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/UsetheHTTPEventCollector[Splunk HTTP Event Collector (HEC)] in addition to, or instead of, the internal default {product-title} log store.
[NOTE]
====
Using this feature with Fluentd is not supported.
====
.Prerequisites
* {clo} 5.6 or later
* A `ClusterLogging` instance with `vector` specified as the collector
* Base64 encoded Splunk HEC token
.Procedure
. Create a secret using your Base64 encoded Splunk HEC token.
+
[source,terminal]
----
$ oc -n openshift-logging create secret generic vector-splunk-secret --from-literal hecToken=<HEC_Token>
----
+
. Create or edit the `ClusterLogForwarder` Custom Resource (CR) using the template below:
+
[source,yaml]
----
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: <log_forwarder_name> <1>
namespace: <log_forwarder_namespace> <2>
spec:
serviceAccountName: <service_account_name> <3>
outputs:
- name: splunk-receiver <4>
secret:
name: vector-splunk-secret <5>
type: splunk <6>
url: <http://your.splunk.hec.url:8088> <7>
pipelines: <8>
- inputRefs:
- application
- infrastructure
name: <9>
outputRefs:
- splunk-receiver <10>
----
<1> In legacy implementations, the CR name must be `instance`. In multi log forwarder implementations, you can use any name.
<2> In legacy implementations, the CR namespace must be `openshift-logging`. In multi log forwarder implementations, you can use any namespace.
<3> The name of your service account. The service account is only required in multi log forwarder implementations if the log forwarder is not deployed in the `openshift-logging` namespace.
<4> Specify a name for the output.
<5> Specify the name of the secret that contains your HEC token.
<6> Specify the output type as `splunk`.
<7> Specify the URL (including port) of your Splunk HEC.
<8> Specify which log types to forward by using the pipeline: `application`, `infrastructure`, or `audit`.
<9> Optional: Specify a name for the pipeline.
<10> Specify the name of the output to use when forwarding logs with this pipeline.
View Git Blame Copy Permalink