Version 5.7 of our applications and Collectord includes bug fixes and new input, that allows to forward logs directly from the Journald.
For the OpenShift clusters we recommended to use
rsyslog to forward messages from
journald to the
And now you can uninstall rsyslog, if you don't need it anymore, and forward messages directly from journald.
You can find the reference of the journald input in configurations for Docker, Kubernetes and OpenShift:
[input.journald] # disable host level logs disabled = false # root location of log files path = /rootfs/var/log/journal/ # when reach end of journald, how often to pull pollingInterval = 250ms # if you don't want to forward journald from the beginning, # set the oldest event in relative value, like -14h or -30m or -30s (h/m/s supported) startFromRel = # override type type = kubernetes_host_logs # specify Splunk index index = # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded) samplingPercent = -1 # sampling key (should be regexp with the named match pattern `key`) samplingKey = # set output (splunk or devnull, default is [general]defaultOutput) output =
In case of Kubernetes and OpenShift clusters, include it in your ConfigMap in file
002-daemonset.conf. If you are upgrading
from the previous version of the application we recommend to specify
startFromRel = -1h
That will tell Collectord to start reading the journald from one hour behind only. Considering that you have forwarded
already all the host logs from the
/var/log/messages that will minimize the amount of forwarded journald logs from the first start
and cause less duplications in Splunk.
You can find more information about other minor updates by following links below.
- Monitoring OpenShift - Release notes
- Monitoring Kubernetes - Release notes
- Monitoring Docker - Release notes