Harness Delegate Logs to Splunk

Rico_Ordonio · August 5, 2019, 5:40pm

Has anyone accomplished getting delegate logs into Splunk?
We’re running ECS clusters backed by EC2 instances.
For Splunk it’s Splunk Cloud. Any insight is appreciated.

ravi.lachhman · August 5, 2019, 7:25pm

Rico,

Not an expert in Splunk, but the delegate logs can be found here:

Not sure of the best way to configure the forwarder to pick up at the delegate log location:
https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/User/DataSplunkCloudcanindex

This might help but not sure on the container wiring.

I’ll ask around.

Cheers!

-Ravi

HunarSingh · August 5, 2019, 8:51pm

Hi Rico,

Harness does not write logs to stdout but to a file, and the file is in a fixed location.
You can explore a log forwarder -

https://docs.splunk.com/Documentation/Forwarder/7.3.0/Forwarder/Abouttheuniversalforwarder

And use Harness Delegate Profile to install forwarder on the delegate. You can find more about Delegate Profiles here:

https://docs.harness.io/article/h9tkwmkrm7-delegate-installation#delegate_profiles

Hope this helps!

Cheers!

Hunar

domclealfa · August 20, 2019, 11:35am

Is this something Harness could change in the provided harness/delegate Docker image? The Delegate itself wouldn’t need to change how it logs, but the Docker image could output by default to stdout, which’d make it compatible with lots of Docker logging solutions.

For the OP, they could use the ECS Splunk integration to log stdout of the container directly to Splunk. For others including myself, it could also log directly into CloudWatch without needing to install a forwarder into the image.

Perhaps just a tail -F delegate.log watcher.log & in the run.sh startup script would work.

sneakyaneurysm · August 20, 2019, 3:11pm

Dominic,

We have seen this request a few times before (Splunk and SumoLogic use cases). We have something called a Delegate Profile (https://docs.harness.io/article/nxhlbmbgkj-common-delegate-profile-scripts) that can install a log-forwarder to send the delegate.log and the watcher.log to the desired Logging solution.

SumoLogic: https://help.sumologic.com/07Sumo-Logic-Apps/10Containers_and_Orchestration/Kubernetes/Collect_Logs_for_Kubernetes (Follow steps to alter source in the appropriate YAML to point to the desired Harness Logs)

Splunk: https://splunkbase.splunk.com/app/3743/#/details (Follow steps to point the collector to the desired Harness Logs)

We have a Feature Enhancement in to support this.

domclealfa · August 20, 2019, 3:23pm

Thanks, will use an agent in the container for the time being.

We have a Feature Enhancement in to support this.

Great!