-
Notifications
You must be signed in to change notification settings - Fork 217
/
integrate-splunk.html.md.erb
91 lines (61 loc) · 3.16 KB
/
integrate-splunk.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
---
title: Streaming Application Logs to Splunk
owner: PCF Metrics
---
<strong><%= modified_date %></strong>
To integrate Cloud Foundry with Splunk Enterprise, complete the following process.
## <a id='drain'></a> 1. Create a Cloud Foundry Syslog Drain for Splunk ##
In Cloud Foundry, create a syslog drain user-provided service instance as
described in [Using Third-Party Log Management Services](./log-management.html).
Choose one or more applications whose logs you want to drain to Splunk
through the service.
Bind each app to the service instance and restart the app.
Note the GUID for each app, the IP address of the Loggregator host, and the
port number for the service.
Locate the port number in the syslog URL.
For example:
`syslog://logs.example.com:1234`
## <a id='prep'></a>2. Prepare Splunk for Cloud Foundry ##
For detailed information about the following tasks, see the [Splunk documentation]
(http://docs.splunk.com/Documentation/Splunk).
### <a id='config'></a>Install the RFC5424 Syslog Technology Add-On ###
The Cloud Foundry Loggregator component formats logs according to the Syslog
Protocol defined in [RFC 5424](http://tools.ietf.org/html/rfc5424).
Splunk does not parse log fields according to this protocol.
To allow Splunk to correctly parse RFC 5424 log fields, install the Splunk
[RFC5424 Syslog Technical Add-On](http://apps.splunk.com/app/978/).
### <a id='config'></a>Patch the RFC5424 Syslog Technology Add-On ###
1. SSH into the Splunk VM
1. Replace `/opt/splunk/etc/apps/rfc5424/default/transforms.conf` with a new
`transforms.conf` file that consists of the following text:
<pre class="terminal">
[rfc5424_host]
DEST_KEY = MetaData:Host
REGEX = <\d+>\d{1}\s{1}\S+\s{1}(\S+)
FORMAT = host::$1
[rfc5424_header]
REGEX = <(\d+)>\d{1}\s{1}\S+\s{1}\S+\s{1}(\S+)\s{1}(\S+)\s{1}(\S+)
FORMAT = prival::$1 appname::$2 procid::$3 msgid::$4
MV_ADD = true
</pre>
1. Restart Splunk
### <a id='config'></a> Create a TCP Syslog Data Input ###
Create a TCP Syslog Data Input in Splunk, with the following settings:
* **TCP port** is the port number you assigned to your log drain service
* **Set sourcetype** is `Manual`
* **Source type** is `rfc5424_syslog` (type this value into text field)
* **Index** is the index you created for your log drain service
Your Cloud Foundry syslog drain service is now integrated with Splunk.
## <a id='verify'></a>3. Verify that Integration was Successful ##
Use Splunk to execute a query of the form:
`sourcetype=rfc5424_syslog index=-THE-INDEX-YOU-CREATED appname=APP-GUID`
To view logs from all apps at once, you can omit the `appname` field.
Verify that results rows contain the three Cloud Foundry-specific fields:
* **appname**: The GUID for the Cloud Foundry application
* **host**: The IP address of the Loggregator host
* **procid**: The Cloud Foundry component emitting the log
If the Cloud Foundry-specific fields appear in the log search results,
integration is successful.
If logs from an app are missing, make sure that the following are true:
* The app is bound to the service and was restarted after binding
* The service port number matches the TCP port number in Splunk