Kubernetes Sidecar for sending logs to Splunk

Question

I have deployed my application image into Kubernetes.

I am trying to send application logs to Splunk. One option would be to use DeamonSet. But, due to some restrictions, I would like to use sidecar.

Is there any sidecar for sending logs from Kubernetes Docker to Splunk?

Answer 1

As you say, you could add a docker container to your pod with a shared volume, for example

apiVersion: v1
kind: Pod
metadata:
  name: app-with-sidecar-logs
spec:
  volumes:
  - name: logs
    emptyDir: {}
  containers:
  - name: app
    image: nginx
    volumeMounts:
    - name: logs
      mountPath: /var/logs
  - name: fluentd
    image: fluent/fluentd
    volumeMounts:
    - name: logs
      mountPath: /var/logs

You could use the splunk plugin for fluentd configuring and running the docker container properly.

<match pattern>
  type splunk
  host <splunk_host>
  port <splunk_port>
</match>

More info:

https://www.fluentd.org/plugins

https://github.com/parolkar/fluent-plugin-splunk

https://www.loggly.com/blog/how-to-implement-logging-in-docker-with-a-sidecar-approach/ . Notice this is for loggly, but the idea is the same.