Outcold Solutions - Monitoring Kubernetes, OpenShift and Docker in Splunk
Monitoring Docker in Splunk Monitoring Kubernetes in Splunk Monitoring OpenShift in Splunk Monitoring Linux in Splunk Monitoring Windows Containers in Splunk Forwarding Logs to Elasticsearch and OpenSearch Forwarding Logs to QRadar
Documentation Blog Contact Us Pricing Evaluation licenses Partners License Agreement Privacy Policy FAQ
ElasticSearch and OpenSearch

Configuration

Configurations

collectorforkubernetes-elasticsearch.yaml

Pick the manifest that matches your destination:

Deploying on OpenShift clusters

OpenShift’s default SCCs don’t allow the host-level access Collectord needs to read container logs and host metadata, so you have to grant the privileged SCC to its service account.

Save the following to collectorforkubernetes-scc.yaml and apply it with oc apply -f collectorforkubernetes-scc.yaml:

collectorforkubernetes-scc.yaml yaml
 1kind: SecurityContextConstraints
 2apiVersion: security.openshift.io/v1
 3metadata:
 4  name: collectorforkubernetes
 5allowHostDirVolumePlugin: true
 6allowHostIPC: true
 7allowHostNetwork: true
 8allowHostPID: true
 9allowHostPorts: true
10allowPrivilegeEscalation: true
11allowPrivilegedContainer: true
12readOnlyRootFilesystem: false
13allowedCapabilities:
14  - '*'
15allowedUnsafeSysctls:
16  - '*'
17fsGroup:
18  type: RunAsAny
19runAsUser:
20  type: RunAsAny
21seLinuxContext:
22  type: RunAsAny
23supplementalGroups:
24  type: RunAsAny
25seccompProfiles:
26  - '*'
27users:
28  - system:serviceaccount:collectorforkubernetes:collectorforkubernetes
29volumes:

List of Created Kubernetes Objects

Applying collectorforkubernetes-elasticsearch.yaml creates the following objects:

  • Namespace collectorforkubernetes — the namespace everything else lives in.
  • ClusterRole collectorforkubernetes — limited to get, list, and watch on the deployed objects. Collectord uses this read-only access to enrich logs and stats with Kubernetes metadata.
  • ServiceAccount collectorforkubernetes — used to authenticate against the Kubernetes API.
  • ClusterRoleBinding collectorforkubernetes — binds the service account to the cluster role.
  • ConfigMap collectorforkubernetes-elasticsearch — delivers configuration files to Collectord.
  • DaemonSet collectorforkubernetes-elasticsearch — runs Collectord on every node so each node can read its own container and host logs.
  • Deployment collectorforkubernetes-elasticsearch — a single Collectord instance for cluster-wide work that should only happen once (events, watched objects).

The collectorforkubernetes-elasticsearch.yaml file itself is heavily commented — read through it for a deeper look at every option and the source of every log type.