Skip to content

Files

Latest commit

 

History

History
100 lines (90 loc) · 3.75 KB

proc_splunk-config.adoc

File metadata and controls

100 lines (90 loc) · 3.75 KB

Configuring {productname} to use Splunk

Use the following procedure to configure {productname} to use Splunk or the Splunk HTTP Event Collector (HEC).

Prerequisites

  • You have installed Splunk and created a username.

  • You have generated a Splunk bearer token.

Procedure

  1. Configure {productname} to use Splunk or the Splunk HTTP Event Collector (HEC).

    1. If opting to use Splunk, open your {productname} config.yaml file and add the following configuration fields:

      # ...
LOGS_MODEL: splunk
LOGS_MODEL_CONFIG:
    producer: splunk
    splunk_config:
        host: http://<user_name>.remote.csb (1)
        port: 8089 (2)
        bearer_token: <bearer_token> (3)
        url_scheme: <http/https> (4)
        verify_ssl: False (5)
        index_prefix: <splunk_log_index_name> (6)
        ssl_ca_path: <location_to_ssl-ca-cert.pem> (7)
# ...

      1. String. The Splunk cluster endpoint.

      2. Integer. The Splunk management cluster endpoint port. Differs from the Splunk GUI hosted port. Can be found on the Splunk UI under SettingsServer SettingsGeneral Settings.

      3. String. The generated bearer token for Splunk.

      4. String. The URL scheme for access the Splunk service. If Splunk is configured to use TLS/SSL, this must be https.

      5. Boolean. Whether to enable TLS/SSL. Defaults to true.

      6. String. The Splunk index prefix. Can be a new, or used, index. Can be created from the Splunk UI.

      7. String. The relative container path to a single .pem file containing a certificate authority (CA) for TLS/SSL validation.

    2. If opting to use Splunk HEC, open your {productname} config.yaml file and add the following configuration fields:

      # ...
LOGS_MODEL: splunk
LOGS_MODEL_CONFIG:
  producer: splunk_hec (1)
  splunk_hec_config: (2)
    host: prd-p-aaaaaq.splunkcloud.com (3)
    port: 8088 (4)
    hec_token: 12345678-1234-1234-1234-1234567890ab (5)
    url_scheme: https (6)
    verify_ssl: False (7)
    index: quay (8)
    splunk_host: quay-dev (9)
    splunk_sourcetype: quay_logs (10)
# ...

      1. Specify splunk_hec when configuring Splunk HEC.

      2. Logs model configuration for Splunk HTTP event collector action logs configuration.

      3. The Splunk cluster endpoint.

      4. Splunk management cluster endpoint port.

      5. HEC token for Splunk.

      6. The URL scheme for access the Splunk service. If Splunk is behind SSL/TLS, must be https.

      7. Boolean. Enable (true) or disable (false) SSL/TLS verification for HTTPS connections.

      8. The Splunk index to use.

      9. The host name to log this event.

      10. The name of the Splunk sourcetype to use.

  2. If you are configuring ssl_ca_path, you must configure the SSL/TLS certificate so that {productname} will trust it.

    1. If you are using a standalone deployment of {productname}, SSL/TLS certificates can be provided by placing the certificate file inside of the extra_ca_certs directory, or inside of the relative container path and specified by ssl_ca_path.

    2. If you are using the {productname} Operator, create a config bundle secret, including the certificate authority (CA) of the Splunk server. For example:

      $ oc create secret generic --from-file config.yaml=./config_390.yaml --from-file extra_ca_cert_splunkserver.crt=./splunkserver.crt config-bundle-secret

      Specify the conf/stack/extra_ca_certs/splunkserver.crt file in your config.yaml. For example:

      # ...
LOGS_MODEL: splunk
LOGS_MODEL_CONFIG:
    producer: splunk
    splunk_config:
        host: ec2-12-345-67-891.us-east-2.compute.amazonaws.com
        port: 8089
        bearer_token: eyJra
        url_scheme: https
        verify_ssl: true
        index_prefix: quay123456
        ssl_ca_path: conf/stack/splunkserver.crt
# ...