Outcold Solutions - Monitoring Kubernetes, OpenShift and Docker in Splunk
Monitoring Docker in Splunk Monitoring Kubernetes in Splunk Monitoring OpenShift in Splunk Monitoring Linux in Splunk Monitoring Windows Containers in Splunk Forwarding Logs to Elasticsearch and OpenSearch Forwarding Logs to QRadar
Documentation Blog Contact Us Pricing Evaluation licenses Partners License Agreement Privacy Policy FAQ
Syslog (QRadar)

Installation

This guide walks you through installing the syslog forwarder end-to-end on either Kubernetes or OpenShift: pointing Collectord at your syslog server, accepting the license, and applying the manifest. A typical install takes under 10 minutes and starts forwarding metadata-enriched container logs, host logs, and audit logs. If you don’t have a license yet, you can request a 30-day evaluation.

Install Collectord for Kubernetes / OpenShift

Installation

If you prefer Helm, see the collectord-syslog Helm chart.

Download the latest manifest — collectorforkubernetes-syslog.yaml for Kubernetes, or collectorforopenshift-syslog.yaml for OpenShift. The manifest creates the collectorforkubernetes-syslog (or collectorforopenshift-syslog) namespace and deploys every workload it needs.

Open the file and edit it to:

  • Set the syslog server address.
  • Review and accept the license agreement and paste in your license key.
  • Optionally, name the cluster — useful when you’re forwarding from more than one and want to filter by cluster on your SIEM side.
001-general.conf ini
 1[general]
 2
 3acceptLicense = false
 4
 5license =
 6
 7fields.cluster = -
 8
 9...
10
11# Syslog output
12[output.syslog]
13
14address =

A filled-in example:

001-general.conf ini
 1[general]
 2
 3acceptLicense = true
 4
 5license = ...
 6
 7fields.cluster = development
 8
 9...
10
11# Syslog output
12[output.syslog]
13
14address = 192.168.1.100:514

If you’re deploying onto a cluster that’s been running for a while and has a lot of historical logs on disk, Collectord will start by forwarding all of them — which can spike both your network and your SIEM ingestion. Use the [general] settings thruputPerSecond to cap throughput and tooOldEvents to skip events older than a given age.

Apply the manifest to a Kubernetes cluster:

bash
1$ kubectl apply -f ./collectorforkubernetes-syslog.yaml

Or to an OpenShift cluster:

bash
1$ oc apply -f ./collectorforopenshift-syslog.yaml

On OpenShift, grant the service account the privileged SCC:

bash
1$ oc adm policy add-scc-to-user privileged system:serviceaccount:collectorforopenshift-syslog:collectorforopenshift-syslog

Check that the workloads came up — on Kubernetes:

bash
1$ kubectl get all --namespace collectorforkubernetes-syslog

Or on OpenShift:

bash
1$ oc get all --namespace collectorforopenshift-syslog

Once the images are pulled and the pods are Running, events should start arriving at QRadar (or whichever SIEM you’ve pointed Collectord at) within a minute or two.

By default, Collectord forwards container logs, host logs (including syslog), and audit logs when they’re enabled.