NSP application log forwarding to Splunk

Description

An NSP cluster can forward application logs to a remote Splunk server using the Splunk HEC, or HTTP Event Collector. During NSP deployment, you can enable the log forwarding by configuring the Splunk forwarding parameters in the nsp—modules—logging—forwarding—applicationLogs—splunk section of the NSP configuration file.

When log forwarding to Splunk is enabled, you can use the NSP cluster address as a Splunk query criterion for the NSP application logs. The address to use is one of the following values in the platform—ingressApplications—ingressController section of the config.yml file on the local NSP deployer host:

In the internalAddresses subsection, if configured, otherwise, in the clientAddresses subsection:

• if configured, the advertised value

• otherwise, the virtualIp value

For example:

index="k8s_log" and nspHost="cluster_address"

where

cluster_address is the advertised client address in the NSP configuration file described above

k8s_log is the Splunk HEC index

For information about setting up Splunk HEC, see the Splunk documentation.