Preparing to collect logs from external log sources

BMC Helix Logging uses Elasticsearch, Fluent Bit, and Kibana (EFK) to collect, store, and view logs:

  • Elasticsearch: A search engine also used to store and analyze logs.
  • Fluent Bit: Aggregates the application logs collected by the log shipper and sends them to Elasticsearch.
  • Kibana: A web user interface for data visualization and a log exploration tool.

As a system administrator, you must deploy and configure BMC Helix Logging to collect logs, and then configure the Kibana to view logs. 

Important

BMC Helix Continuous Optimization does not support BMC Helix Logging.

In addition, you must integrate BMC Helix ITOM with external logging systems such as Splunk, and external Elasticsearch, Fluentbit, and Kibana (EFK) stacks to collect logs.

Related topics

Viewing-logs-on-Kibana

Troubleshooting-BMC-Helix-Logging-issues

Before you begin

  • Starting from version 25.2.00, if you plan to use an external logging system (such as an external EFK or Splunk stack), you must deploy it before installing or upgrading BMC Helix IT Operations Management.
    For upgrade scenarios, ensure that you run the upgrade configuration utility to enable external logging support.
  • BMC Helix IT Operations Managementversion 25.2.00 or later must be installed.

  • Make sure that the following ports are available in cluster nodes for Elasticsearch and Kibana services: 

    Important

    The traffic to Kibana ports is routed from the Load balancer on port 443 to the Ingress controller. As the Ingress controller decides the internal routing of the traffic, the Kibana ports should be open in the Kubernetes cluster.

Deploying BMC Helix Logging Deployer

  1. Download the bmc-helix-logging-25.2.00-45.tar file from EPD.
    EPD-Logging.png

     

  2. Extract the tar file to the utilities folder.

  3. Perform the following prerequisites that are relevant to your deployment.

    Deployment

    Procedure

    Kubernetes

    1. Use the default namespace or create a namespace in Kubernetes: Example: bmc-helix-logging.
    2. Navigate to helix-on-prem-deployment-manager/utilities/bmc-helix-logging/efk/fluent-bit/ and replace the efk-fluent-bit-clusterrole.yaml namespace with the namespace that created in step a.

    3. Apply the updated YAML file by running:

      kubectl apply -f efk-fluent-bit-clusterrole.yaml

    4. Use the cluster admin permission and apply the privileged policy to the new namespace.

      kubectl label namespace <namespace-name> pod-security.kubernetes.io/enforce=privileged
      kubectl label namespace <namespace-name> pod-security.kubernetes.io/enforce-version=latest
      kubectl label namespace <namespace-name> pod-security.kubernetes.io/audit=privileged
      kubectl label namespace <namespace-name> pod-security.kubernetes.io/audit-version=latest
      kubectl label namespace <namespace-name> pod-security.kubernetes.io/warn=privileged
      kubectl label namespace <namespace-name> pod-security.kubernetes.io/warn-version=latest
    5. To use a different namespace, go to bmc-helix-logging.config and set the variable BMC_HELIX_LOGGING_NAMESPACE to a new namespace.

    OpenShift

    1. Create a namespace in OpenShift. For example: "bmc-helix-logging".
    2. With admin privileges creates perquisites: 

      1. securitycontextconstraint (scc) ---> Replace namespace in file "efk-fluent-bit-scc.yaml" at location "helix-on-prem-deployment-manager/bmc-helix-logging/efk/fluent-bit/" and apply.

        oc apply -f efk-fluent-bit-scc.yaml

      2. Clusterrole and Cluterrolebinding --> Replace namespace in file "efk-fluent-bit-clusterrole.yaml" at location "helix-on-prem-deployment-manager/bmc-helix-logging/efk/fluent-bit/" and apply.

        oc apply -f efk-fluent-bit-clusterrole.yaml

      3. Add adm policy scc to service account in the namespace using below command.

        oc adm policy add-scc-to-user efk-fluent-bit -z efk-fluent-bit -n <namespace>

    3. Add GID of bmc-helix-logging in "bmc-helix-logging.config". For example:
      LOGGING_RUN_AS_USER=1000750000
      LOGGING_RUN_AS_GROUP=1000750000
      LOGGING_FS_GROUP=1000750000

    4. Configure the values in bmc-helix-logging.config.

    Splunk

    • You have the Spunk deployed in your cluster.
    • Splunk is running on a different namespace in the cluster.
    • (Optional) If you are not using Splunk for logs collection, you must have the Fluentbit or Fluentd running in your cluster.
  4. Go to helix-on-prem-deployment-manager/utilities/bmc-helix-logging/bmc-helix-logging.config and set the following values:
    • To use IPv4, set ESKIBANA_SERVER_HOST ="0.0.0.0"
    • To use IPv6, set ESKIBANA_SERVER_HOST ="::"
  5. Run the ./bmc-helix-logging-deployer.sh script.
    The BMC Helix Logging deployer deploys EFK in the bmc-helix-logging namespace.

  6. Perform the relevant post deployment steps:

    Action

    Desctiption

    To access the Kibana URL

    1. Open the bmc-helix-logging.config file.
    2. Find the KIBANA_LB_HOST parameter.
    3. Specify a URL to create a Kibana load balancer host. 
      The BMC Helix Logging Ingress uses the value of this parameter.
      Example: KIBANA_LB_HOST= kibana-private-poc.mydomain.com.
    4. Viewing-logs-on-Kibana.

    For Splunk 

     

    1. Add the Splunk plugin in Fluentbit configmap.

       Kubectl edit cm fluent-bit -n <namespace> 
    2. Remove the output plugins other than Splunk from the Fluentbit configmap.

    3. Update the parameters:

      [OUTPUT]\n Name splunk\n Match kube.*\n Host <SPLUNK_HOST>\n Port <SPLUNK_PORT>\n Splunk_Token <SPLUNK_TOKEN>\n TLS On\n TLS.Verify Off\n

      Splunk host is the service name of Splunk and the namespace.
      <svc name>.<Splunk deployed namespace>Example: splunk-enterprise.splunk.svc.cluster.local

      [OUTPUT]
             Name splunk
             Match kube.*
             Host splunk-enterprise.splunk.svc.cluster.local
             Port <port>
             Splunk_Token <token>
             TLS On
             TLS.verify Off

    4. Restart the Fluentbit pods.
    5. Go to Splunk to see the streaming logs.

 

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*