OpenShift can be configured to host an EFK stack that stores and indexes log data but at some sites a log aggregation system is already in place. The default OpenShift fluetnd image can be modified to directly forward messages to Splunk. Currenly the disadvantages of this method are no filter can be done so all messages are sent to Splunk.
This quickstart should be run on an installation of OpenShift Enterprise V3 with an existing EFK deployment.
The EFK stack should already be configured in the logging namespace.
Run the following commands to create the build configuration and ImageStream.
oc project logging
oc new-app registry.access.redhat.com/openshift3/logging-fluentd:latest~https://github.com/themoosman/openshift-fluentd-splunk.gitAdd the following section to the ConfigMap to create a new splunk configuration file. The example below will only forward kubernetes messages. To forward all messages just use the <store> block without the filter.
Update the host with the correct Splunk hostname.
output-extra-splunk.conf: |
<store kubernetes.**>
@type splunk_ex
host mysplunkserver
port 9997
output_format json
</store>Update the logging-fluentd daemonset to use new fluentd image
containers:
- name: fluentd-elasticsearch
image: 'logging/openshift-fluentd-splunk:latest'Run the following commands to redeploy the fluentd pods.
oc project logging
oc delete pod -l component=fluentd