Outcold Solutions LLC

Forwarding Kubernetes logs to QRadar - Version 5

Installation

With our solution for QRadar, you can start forwarding logs from your clusters in under 10 minutes, including forwarding metadata-enriched container logs, host logs, and audit logs. You can request an evaluation license that valid for the 30 days.

Install Collector for Kubernetes / OpenShift

Installation

Use latest Kubernetes configuration file collectorforkubernetes-syslog.yaml, or specific for OpenShift configuration collectorforopenshift-syslog.yaml. This configuration deploys multiple workloads under collectorforkubernetes-syslog (collectorforopenshift-syslog) namespace.

Open it in your favorite editor and specify syslog server, review and accept a license agreement and include license key (request an evaluation license key with this automated form).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
[general]

acceptLicense = false

license =

fields.cluster = -

...

# Syslog output
[output.syslog]

address =

For example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
[general]

acceptEULA = true

license = ...

fields.cluster = development

...

# Syslog output
[output.syslog]

address = 192.168.1.100:514

If you are planning to deploy Collectord on a cluster, which was running for a while, and has a lot of logs stored on the disk, Collectord will forward all the logs, which can disturb your cluster. You can configure under [general] values thruputPerSecond or tooOldEvents to configure the amount of logs you want to forward per second, and which events Collectord should skip.

Apply this change to your Kubernetes cluster with kubectl

$ kubectl apply -f ./collectorforkubernetes-syslog.yaml

Or to OpenShift cluster with

$ oc apply -f ./collectorforopenshift-syslog.yaml

In case of OpenShift add collectorforopenshift-syslog to privileged role.

$ oc adm policy add-scc-to-user privileged system:serviceaccount:collectorforopenshift-syslog:collectorforopenshift-syslog

Verify the workloads.

$ kubectl get all --namespace collectorforkubernetes-syslog

Or with OpenShift

$ oc get all --namespace collectorforopenshift-syslog

Give it a few moments to download the image and start the containers. After all the pods are deployed, go to the QRadar and you should see the data.

The collectord forwards by default container logs, host logs (including syslog) and audit logs (if enabled)


About Outcold Solutions

Outcold Solutions provides solutions for monitoring Kubernetes, OpenShift and Docker clusters in Splunk Enterprise and Splunk Cloud. We offer certified Splunk applications, which give you insights across all containers environments. We are helping businesses reduce complexity related to logging and monitoring by providing easy-to-use and deploy solutions for Linux and Windows containers. We deliver applications, which help developers monitor their applications and operators to keep their clusters healthy. With the power of Splunk Enterprise and Splunk Cloud, we offer one solution to help you keep all the metrics and logs in one place, allowing you to quickly address complex questions on container performance.