https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365305#M66507 <P>We feel the Splunk Forwarder is more for host/node level data collection and that's not the way we were planning to log our Kubernetes infrastructure. If one were to want to write all logs back to the host/node level, then yes the Splunk Forwarder would work fine and we use it in the cloud at that level significantly already for many other workloads. In our opinion, the Splunk HEC is much more well suited to the task of collecting logs from something like Kubernetes/Docker which should be more directly from the logging driver or container engine level. </P> <P>The official <A href="https://kubernetes.io/docs/concepts/cluster-administration/logging/">k8s logging documentation</A> mentions several different logging approaches, with node-level and cluster-level being the two main parent categories. Cluster-level is the one that we believe is the better approach and why we're looking for a different solution than the Splunk Forwarder in this space.</P> Wed, 04 Oct 2017 00:32:56 GMT mcluver 2017-10-04T00:32:56Z https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365303#M66505 <P>We’re looking to get our Kubernetes logs into Splunk and it appears the best (most cloud native) way to do that is to forward the logs from Fluentd to Splunk HEC (HTTP Event Collector). With that being said, we see where there are a number of plugins that people have developed for Fluentd for this use-case, see: <A href="https://www.fluentd.org/plugins">Fluentd Plugins</A> Could you guys please tell us if any of these were developed by Splunk employees or are officially vetted/supported?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="Fluentd Plugins for Splunk"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3574i74FBFCE0EBA62157/image-size/large?v=v2&amp;px=999" role="button" title="Fluentd Plugins for Splunk" alt="Fluentd Plugins for Splunk" /></span></P> <P>Does Splunk have another cloud native solution that they recommend instead? Don’t say the UF (Splunk Universal Forwarder). I also found <A href="https://answers.splunk.com/answers/525617/how-can-we-log-and-containerize-the-logs-using-kub.html">this</A> Splunk Answers post regarding the same topic for a bit of background on what others were doing cloud natively. Thanks for any assistance with this question.</P> <P>Thanks &amp; Best regards,<BR /> Matt</P> Tue, 03 Oct 2017 17:54:25 GMT https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365303#M66505 mcluver 2017-10-03T17:54:25Z https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365304#M66506 <P>Why are you dismissing the Universal Forwarder? It is as "cloud native" as anything else you might find?</P> Tue, 03 Oct 2017 23:36:24 GMT https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365304#M66506 sduff_splunk 2017-10-03T23:36:24Z https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365305#M66507 <P>We feel the Splunk Forwarder is more for host/node level data collection and that's not the way we were planning to log our Kubernetes infrastructure. If one were to want to write all logs back to the host/node level, then yes the Splunk Forwarder would work fine and we use it in the cloud at that level significantly already for many other workloads. In our opinion, the Splunk HEC is much more well suited to the task of collecting logs from something like Kubernetes/Docker which should be more directly from the logging driver or container engine level. </P> <P>The official <A href="https://kubernetes.io/docs/concepts/cluster-administration/logging/">k8s logging documentation</A> mentions several different logging approaches, with node-level and cluster-level being the two main parent categories. Cluster-level is the one that we believe is the better approach and why we're looking for a different solution than the Splunk Forwarder in this space.</P> Wed, 04 Oct 2017 00:32:56 GMT https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365305#M66507 mcluver 2017-10-04T00:32:56Z https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365306#M66508 <P>One solution to monitor Kubernetes and collect all logs is to use our collector </P> <P>SplunkBase: <A href="https://splunkbase.splunk.com/app/3743/">https://splunkbase.splunk.com/app/3743/</A><BR /> Youtube Demo <A href="https://www.youtube.com/watch?v=C2zOO2XX5TI">https://www.youtube.com/watch?v=C2zOO2XX5TI</A><BR /> Installation/configuration instructions <A href="https://github.com/outcoldsolutions/collector/tree/master/kubernetes">https://github.com/outcoldsolutions/collector/tree/master/kubernetes</A></P> <P>With provided configuration it will automatically pick up all logs, enrich them with kubernetes metadata and ship it to Splunk. </P> <P>Let me know if you will have any questions.</P> <P>Edited (2017-10-05): posted link to published application on splunkbase</P> Wed, 04 Oct 2017 03:20:42 GMT https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365306#M66508 outcoldman 2017-10-04T03:20:42Z https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365307#M66509 <P>That looks like a really nice solution for Kubernetes logging and metrics. Probably the best solution to date for Splunk I've seen. Is Splunk not planning on releasing their own TA for this platform at some point?</P> <P>Being a Splunk Enterprise Security customer I think we'd be interesting in the collection being CIM compliant as well. </P> Thu, 05 Oct 2017 16:23:53 GMT https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365307#M66509 mcluver 2017-10-05T16:23:53Z https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365308#M66510 <P>CIM compliant is on our radar for "Monitoring Kubernetes" and "Collector for Kubernetes". </P> Thu, 05 Oct 2017 16:46:12 GMT https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365308#M66510 outcoldman 2017-10-05T16:46:12Z https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365309#M66511 <P>To monitor Kubernetes please go here and follow the steps: <A href="https://github.com/splunk/splunk-connect-for-kubernetes">https://github.com/splunk/splunk-connect-for-kubernetes</A></P> Wed, 04 Jul 2018 12:41:47 GMT https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365309#M66511 epeterfi_splunk 2018-07-04T12:41:47Z https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365310#M66512 <P>See below my comment. Connect for K8 was launched months ago and works great. Also comes with an app.</P> Fri, 05 Oct 2018 11:12:08 GMT https://community.splunk.com/t5/Getting-Data-In/Are-any-Fluentd-apps-Splunk-vetted-supported-Or-is-there-a/m-p/365310#M66512 epeterfi_splunk 2018-10-05T11:12:08Z