Outcold Solutions - Monitoring Kubernetes, OpenShift and Docker in Splunk
Monitoring Docker in Splunk Monitoring Kubernetes in Splunk Monitoring OpenShift in Splunk Monitoring Linux in Splunk Monitoring Windows Containers in Splunk Forwarding Logs to Elasticsearch and OpenSearch Forwarding Logs to QRadar
Documentation Blog Contact Us Pricing Evaluation licenses Partners License Agreement Privacy Policy FAQ
ElasticSearch and OpenSearch

Security

This page covers what Collectord runs as, what it touches on the host and the cluster, and what you can lock down. If you’re walking through a security review, this is the short version of the answers.

Collector

Image

Starting from version 5.2, we build our image from scratch — a 0-size base. The Collectord image ships only what’s required to run: the collectord binary, a set of root certificates, and a timezone database. The binary itself is statically compiled in Go with no dynamic runtime, so it can only do what we programmed it to do — there’s no shell, no package manager, no interpreter to pivot from.

Container configuration

To collect logs from the cluster, Collectord needs access to the host filesystem — that’s why the container requires privileged access. Collectord treats the host as read-only. The only thing it writes back is acknowledgement state in the form of a small database, which by default lives under /var/lib/collectorforkubernetes. If you configure a volume database, it goes in the volume root instead.

If you skip the volume database, you can drop the host filesystem to read-only — but you’ll still need write access to Collectord’s primary database directory (the data folder).

Collectord also reads from the API Server. We scope that access with RBAC so it only has the read permissions it needs, nothing more.

Internet access

The default license requires internet access so license clients can verify against our license server. If your environment doesn’t allow outbound traffic, we can issue a license that doesn’t require verification — reach out and we’ll set you up.

Collectord also forwards anonymous telemetry to our license server. You can turn that off in the configuration.

Connection to ElasticSearch / OpenSearch

We recommend TLS for the connection to ElasticSearch / OpenSearch. Set host = https://... in the [output.elasticsearch] block, and provide a CA path or set insecure = false (the default) to require certificate validation. Basic authentication credentials live in authorizationBasicUsername / authorizationBasicPassword; for token-based auth, use authorizationBearer.