We are using the splunk forwarder that runs inside a docker container. We want to use it to forward journal logs to splunk. Here is how our inputs.conf file looks like
[default]
host=<IP>
source=mesos
sourcetype=${SPLUNK_SOURCETYPE:-"application"}
index=main
[journald://my-stanza]
I think the container is unable to read from the journal logs, so I mounted the appropriate volumes but i am still unable to see the logs
docker run -u 0 -d -v /var/log/journal:/var/log/journal -v /etc/machine-id:/etc/machine-id
Also, nowhere in the splunkd logs is there a mention of journald
Anyone had luck with this?
