Integrating IBM® Cloud Private Cloud Foundry syslogs with Splunk

If you use Splunk Enterprise, you can integrate your IBM Cloud Private Cloud Foundry application logs with Splunk.

Cloud Foundry uses the RFC5425 syslog protocol, so you must also install the Splunk add-on that supports this protocol.

Installing Splunk Enterprise using Docker

1. Install Docker. For more information, see Install Docker.

2. Pull the Splunk images from Docker Hub:

   docker pull splunk/splunk
   

3. Start Splunk:

   docker run -d -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_USER=root" -p "8000:8000" -p "12345:12345" splunk/splunk
   

   In this command, 8000 is the default port that the Splunk user interface runs on, and 12345 is the TCP port that receives the system logs from Cloud Foundry. You can use any available port for the TCP port.

4. To verify that Splunk is running, open http://localhost:8000 in a browser. The default login credentials are admin:changeme.

Configuring Splunk to receive syslogs from Cloud Foundry

1. Download the RFC5424 syslog add-on for Splunk. You must have a Splunk account to download the add-on. For more information, see RFC5424 Syslog.

2. Extract the rfc5424-syslog_11.tar file.

   tar -xvzf rfc5424-syslog_11.tgz
   

3. Open the ./rfc5424/default/transforms.conf file and replace its contents with the following text:

   [rfc5424_host]
   DEST_KEY = MetaData:Host
   REGEX = <\d+>\d{1}\s{1}\S+\s{1}(\S+)
   FORMAT = host::$1
   
   [rfc5424_header]
   REGEX = <(\d+)>\d{1}\s{1}\S+\s{1}\S+\s{1}(\S+)\s{1}(\S+)\s{1}(\S+)
   FORMAT = prival::$1 appname::$2 procid::$3 msgid::$4
   MV_ADD = true
   

4. Retrieve the Docker containerId for the Splunk container.

   docker ps -aqf "ancestor=splunk/splunk"
   

5. Copy the rfc5424 folder to the Docker container for Splunk.

   docker cp rfc5424 <containerId>:/opt/splunk/etc/apps
   

6. Restart the Docker container.

   docker restart <containerId>
   

7. Open http://localhost:8000 in a browser, and log in to Splunk.

8. Click Add Data > Monitor > TCP / UDP.
9. Select the TCP Port that you specified when you started Splunk, such as 12345, and then click Next.
10. For the Source Type, select rfc545_syslog, and then click Review and Submit.
11. To send data from IBM Cloud Private Cloud Foundry to Splunk, click Start Searching.

Send syslogs from IBM Cloud Private Cloud Foundry to Splunk

1. Log in to Cloud Foundry through the command line interface (CLI).

2. Create a user-provided service for Splunk by running the following command:

   cf create-user-provided-service <SERVICE-NAME> -l syslog://<splunkipaddress>:<port>
   

   Note: In the previous example, <SERVICE-NAME> is the name for the Splunk service, <splunkipaddress> is the IP address that Splunk uses, and <port> is the TCP port that Cloud Foundry uses to send syslogs to Splunk.

3. Bind this service to an existing Cloud Foundry application by running the following command:

   cf bind-service <CF-APP-NAME> <SERVICE-NAME>
   

   Note: In the previous example, <SERVICE-NAME> is the name for the Splunk service and <CF-APP-NAME>is the name of the Cloud Foundry application.

4. Restage the Cloud Foundry application:

   cf restage <CF-APP-NAME>
   

5. Confirm that you can access the Cloud Foundry logs in Splunk by searching for sourcetype=rfc5424_syslog.