NSP application log forwarding to Splunk
Description
An NSP cluster can forward application logs to a remote Splunk server using the Splunk HEC, or HTTP Event Collector. During NSP deployment, you can enable the log forwarding by configuring the Splunk forwarding parameters in the nsp—modules—logging—forwarding—applicationLogs—splunk section of the NSP configuration file.
When log forwarding to Splunk is enabled, you can use the NSP cluster address as a Splunk query criterion for the NSP application logs. The address to use is one of the following values in the platform—ingressApplications—ingressController section of the config.yml file on the local NSP deployer host:
In the internalAddresses subsection, if configured, otherwise, in the clientAddresses subsection:
For example:
index="k8s_log" and nspHost="cluster_address"
where
cluster_address is the advertised client address in the NSP configuration file described above
k8s_log is the Splunk HEC index
For information about setting up Splunk HEC, see the Splunk documentation.