我使用此博客在Kubernetes集群中部署了Splunk转发器。
我有4个文件
/ opt / splunk / etc / system / local
inputs.conf
server.conf
limits.conf
outputs.conf
我的inputs.conf看起来像这样。
[default]
host = testtest
[monitor:///usr/local/tomcat/logs]
whitelist=test.log|.log_WHITELIST_|test
index= abc
sourcetype=log4j
[splunktcp://9997]
compressed = false
我无法在Splunk UI中获取日志。当我将其部署为侧车时。但是如果我在本地使用相同的docker映像,但放置了虚拟日志文件。我可以看到日志。那为什么它不能与kubernates一起使用呢?
我也检查了splunkd.log。
/opt/splunk/var/log/splunk # tail splunkd.log
12-07-2018 10:43:38.793 +0000 INFO TailingProcessor - Adding watch on path: /opt/splunk/var/spool/splunk.
12-07-2018 10:43:38.793 +0000 INFO TailingProcessor - Adding watch on path: /usr/local/tomcat/logs.
12-07-2018 10:43:38.795 +0000 INFO loader - Limiting REST HTTP server to 21845 sockets
12-07-2018 10:43:38.795 +0000 INFO loader - Limiting REST HTTP server to 657 threads
12-07-2018 10:43:38.798 +0000 INFO TailReader - Registering metrics callback for: batchreader0
12-07-2018 10:43:38.798 +0000 INFO TailReader - Starting batchreader0 thread
12-07-2018 10:43:38.798 +0000 INFO TailReader - Registering metrics callback for: tailreader0
12-07-2018 10:43:38.798 +0000 INFO TailReader - Starting tailreader0 thread
12-07-2018 10:43:38.850 +0000 INFO TcpOutputProc - Connected to idx=52.204.198.184:9997 using ACK.
12-07-2018 10:44:08.358 +0000 WARN AuthenticationManagerSplunk - Seed file is not present. Defaulting to generic username/pass pair.
任何建议如何解决此问题。在这里呆了好几天。我必须在kubernates下打开任何端口吗?尽管我可以从splunk容器ping splunk服务器。
答案 0 :(得分:0)
我强烈建议您寻找将Kubernetes日志转发到Splunk的替代方法: