Splunk

    You can configure Rancher to send Kubernetes logs to your instance of Splunk.

    • Browse to the cluster or project that you want to log.

    To Configure Cluster Logging:

    If you’re a cluster owner or member who works in operations or security, configure cluster logging.

    • From the Global view, open the cluster that you want to configure logging for.

    To Configure Project Logging:

    If you’re a who works on an application, configure project logging.

    • From the main menu, select Resources > Logging.

    • Select Splunk.

    • Complete the Splunk HTTP Event Collector Configuration form.

      • From the Endpoint field, enter the IP address and port for you Splunk instance (i.e. )

    Splunk usually uses port . If you’re using Splunk Cloud, you’ll need to work with Splunk support to get an endpoint URL.

    • Enter the Token you obtained while completing the prerequisites (i.e., when you created a token in Splunk).

    • From the Source field, enter the name of the token as entered in Splunk.

    • Complete the Additional Logging Configuration form.

      • Optional: Use the Add Field button to add custom log fields to your logging configuration. These fields are key value pairs (such as ) that you can use to filter the logs from another system.

    • Click Save.

    Result: Rancher is now configured to send logs to Splunk. Log into your Spunk instance to view events for your cluster and containers.

    • Log into your Splunk server.

    • Click on Search & Reporting. The number of Indexed Events listed should be increasing.

    • Click on Data Summary and select the Sources tab.

    You can use curl to see if HEC is listening for HTTP event data.

    If Splunk is configured correctly, you should receive json data returning . You should be ableto send logging data to HEC.

    If you received an error, check your configuration in Splunk and Rancher.