0

We are running Openshift Container Platform 3.4.1. It is using the RedHat provided EFK aggregrated logging solution to log to Elastic Search. We've also enabled to secure forwarder to Splunk. Splunk is our strategic logging solution so we only really want the logs to go there.

We also experience situations whereby ES has an issue, and the logs no longer get forwarded to Splunk.

I'd consider just building a standalone Fluentd solution (that sends to Splunk), but our users are now familiar with the way that aggregated logging enriches the data, and I don't think a standalone FluentD container would do that.

Does anyone know if it is possible to modify the aggregated logging so that it doesn't go to ES at all, and only uses the secure forwarder to send the data to Splunk? Or, drop the aggregated logging, and use a standard FluentD installation whilst maintaining the enrichment that aggregated logging provides?

BTW - it's only my second week with Openshift, so apologies if this is a vague or poor question :) Thanks M

MJM
  • 357
  • 1
  • 4
  • 16
  • There is a Splunk app for OpenShift that may help. Check out https://splunkbase.splunk.com/app/3836 – RichG Mar 16 '18 at 17:09
  • Co-founder of the company which built this app is here. You can find more details about our solution on our website https://www.outcoldsolutions.com/ also including the docs how to set it up (takes about 5 minutes). We currently provide configurations only for 3.6 and 3.7 versions of OpenShift, but 3.4 should not be a problem, considering that we support Kubernetes from version 1.5, I assume just small configuration changes can be required for our YAML configuration. Feel free to send me email denis@outcoldsolutions.com. @RichG thank you for suggesting our app! – outcoldman Mar 16 '18 at 19:41
  • At the moment, we'll need to try and do this without additional cost, and also can't change the format of the logs that are available in Splunk, as it would require re-educating our Dev teams. I was hoping that it would be possible to use FluentD secure forwarding to either send to Splunk directly, or indirectly through the Splunk Universal Forwarder, which is installed on our nodes. – MJM Mar 19 '18 at 14:18

0 Answers0