Add Docker container logs in Splunk

With Splunk You will be able to

optimize container usage by monitoring CPU, memory, disk and network performance metrics from your containers. Pay only for what you need by managing resources and measuring the impact on service reliability and container resource requirements.

Get a complete overview of Kubernetes and OpenShift Environments Correlate performance metrics, container logs and OpenShift/Kubernetes configuration and metadata for a better understanding of how your infrastructure is performing and how hosted applications are behaving.

Add a new HTTP Event Collector

you need to enable the Splunk HTTP Event Collector. In the Splunk UI, go to Settings -> Data Inputs -> HTTP Event Collector -> Global Settings.

Click Enabled alongside ‘All Tokens’, and enable SSL. This will enable the HTTP Event Collector on port 8088 (the default), using the Splunk default certificate.

Note down the token, e.g. f7a00add-34cd-5c00-bb16-e4f813805d81

You can do a quick test by running

 curl -k https://159.100.242.68:8088/services/collector \     -H 'Authorization: Splunk f6a00add-63cd-4c00-bb16-e2f815805d81' -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}' 

Add docker app

Navigate to  yourSplunkHost/en-US/manager/launcher/appsremote?offset=0&count=20&order=relevance&query=docker

Click Install and log using your Splunk.com credentials (register now if needed)

Configure Docker to log to Splunk

You can configure Docker logging to use the Splunk driver by default or on a per-container basis.

To use the Splunk driver as the default logging driver, set the keys log-driver and log-opts to appropriate values in the daemon.json configuration file and restart Docker. For example:

{   "log-driver": "splunk",   "log-opts": {     "splunk-token": "f6a00add-63cd-4c00-bb16-e2f815805d81",     "splunk-url": "https://159.100.242.68:8088"   } } 

The daemon.json file is located in /etc/docker/daemon.json

Restart the docker daemon and you’re done.