Outcold Solutions LLC

Monitoring Docker, OpenShift and Kubernetes - Version 5.7 - Journald input

March 19, 2019

Version 5.7 of our applications and Collectord includes bug fixes and new input, that allows to forward logs directly from the Journald.

Journald input

For the OpenShift clusters we recommended to use rsyslog to forward messages from journald to the /var/log/message. And now you can uninstall rsyslog, if you don't need it anymore, and forward messages directly from journald.

You can find the reference of the journald input in configurations for Docker, Kubernetes and OpenShift:

As following


# disable host level logs
disabled = false

# root location of log files
path = /rootfs/var/log/journal/

# when reach end of journald, how often to pull
pollingInterval = 250ms

# if you don't want to forward journald from the beginning,
# set the oldest event in relative value, like -14h or -30m or -30s (h/m/s supported)
startFromRel =

# override type
type = kubernetes_host_logs

# specify Splunk index
index =

# sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
samplingPercent = -1

# sampling key (should be regexp with the named match pattern `key`)
samplingKey =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

In case of Kubernetes and OpenShift clusters, include it in your ConfigMap in file 002-daemonset.conf. If you are upgrading from the previous version of the application we recommend to specify

startFromRel = -1h

That will tell Collectord to start reading the journald from one hour behind only. Considering that you have forwarded already all the host logs from the /var/log/messages that will minimize the amount of forwarded journald logs from the first start and cause less duplications in Splunk.

You can find more information about other minor updates by following links below.

Release notes

Upgrade instructions

Installation instructions

docker, kubernetes, openshift, splunk

About Outcold Solutions

Outcold Solutions provides solutions for monitoring Kubernetes, OpenShift and Docker clusters in Splunk Enterprise and Splunk Cloud. We offer certified Splunk applications, which give you insights across all containers environments. We are helping businesses reduce complexity related to logging and monitoring by providing easy-to-use and deploy solutions for Linux and Windows containers. We deliver applications, which help developers monitor their applications and operators to keep their clusters healthy. With the power of Splunk Enterprise and Splunk Cloud, we offer one solution to help you keep all the metrics and logs in one place, allowing you to quickly address complex questions on container performance.