While Using LogForwarding API, Forwarding logs to `Splunk` and `Syslog` server records `garbage` values.

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform
    • 4.5
    • 4.6

Issue

  • While Using Using LogForwarding API, Forwarding logs to Splunk and Syslog server records garbage values.

Resolution

  • As of now Forwarding[ RHOCP 4.5/4.6] logs to Splunk using Logforwading API is not supported.

Root Cause

    elasticsearch to forward logs to an external Elasticsearch v5.x cluster, specified by server name or FQDN, and/or the internal OpenShift Container Platform Elasticsearch logstore.

    forward to forward logs to an external log aggregation solution. This option uses the Fluentd forward protocols.
  • Sending Log to Splunk with Forwarding type will have a garbage value as Splunk doesn't understand the forward protocol.
  • From 4.6 onwards LogForwarding API Red Hat only supports kafka, syslog, fluend and elasticsearch as an external log store.

Diagnostic Steps

  • Check Log Forwarding API YAML file to check type configured

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

2 Comments

A clarification, you mean sending to splunk directly is not supported, however supported via fluentd instance as described in https://access.redhat.com/solutions/5368181

Yes. This KCS is talking about the scenario whereby if you try to forward the logs directly (without fluentd forwarder in between) to splunk, you will get garbage values.