Preparing to collect logs from external log sources

You can integrate BMC Helix Service Management with the external logging system Splunk to collect logs from the pods running in the BMC Helix Innovation Suite namespace. 

Before you begin

  • Make sure that BMC Helix Platform Common Services 25.1.00 is installed.
    Do not use an older version of the BMC Helix Platform Common Services library. Versions earlier than 25.1.00 do not support Splunk integration.

  • Make sure that you install Splunk in a separate namespace within your cluster, where you have also installed the BMC Helix Innovation Suite, BMC Helix Platform Common Services, and BMC Helix Logging.

  • Download the bmc-helix-logging-25.1.00-45.tar file from EPD by using the BMC Helix Platform CommonServices Logging Bundle option.
    See Downloading-the-installation-files.

To prepare to collect logs

  1. Extract the bmc-helix-logging-25.1.00-45.tar file to the helix-on-prem-deployment-manager/utilities folder in the working directory.
    Make sure that you extract the file in the BMC Helix Platform Common Services 25.1.00 working directory.
  2. Perform the following prerequisites that are relevant to your deployment.

    Deployment

    Procedure

    Kubernetes

    1. Use the default namespace or create a namespace in Kubernetes:
      Example: bmc-helix-logging.
    2. Navigate to helix-on-prem-deployment-manager/utilities/bmc-helix-logging/efk/fluent-bit/ and replace the efk-fluent-bit-clusterrole.yaml namespace with the namespace that created in step a.
    3. Run the following command:
      kubectl apply -f efk-fluent-bit-clusterrole.yaml

    4. Use the cluster admin permission and apply the privileged policy to the new namespace.

      kubectl label namespace <namespace-name> pod-security.kubernetes.io/enforce=privileged
      kubectl label namespace <namespace-name> pod-security.kubernetes.io/enforce-version=latest
      kubectl label namespace <namespace-name> pod-security.kubernetes.io/audit=privileged
      kubectl label namespace <namespace-name> pod-security.kubernetes.io/audit-version=latest
      kubectl label namespace <namespace-name> pod-security.kubernetes.io/warn=privileged
      kubectl label namespace <namespace-name> pod-security.kubernetes.io/warn-version=latest
    5. To use a different namespace, go to bmc-helix-logging.config and set the variable BMC_HELIX_LOGGING_NAMESPACE to a new namespace.

    OpenShift

    1. Use the default namespace or create a namespace in Openshift:
      Example: bmc-helix-logging.
    2. Make sure that you have the cluster administrator permissions.
    3. Navigate to helix-on-prem-deployment-manager/utilities/bmc-helix-logging/efk/fluent-bit/ and run the following commands:
      • To replace the efk-fluent-bit-scc.yaml namespace, run the oc apply -f efk-fluent-bit-scc.yaml command.
      • To replace the efk-fluent-bit-clusterrole.yaml namespace, run the oc apply -f efk-fluent-bit-clusterrole.yaml command.
      • To add adm policy scc to the service account in the namespace, run the oc adm policy add-scc-to-user efk-fluent-bit -z efk-fluent-bit -n <namespace> command.
    4. Add bmc-helix-logging UID in bmc-helix-logging.config. Example:
      • LOGGING_RUN_AS_USER=1000750000
      • LOGGING_RUN_AS_GROUP=1000750000
      • LOGGING_FS_GROUP=1000750000
  3. In the bmc-helix-logging-deployer.sh script, comment the following code line:
    installHelmChartArchivelogging ${ESLOG_INSTANCE} ${ESLOG_CHART} ${updateFileName}
  4. Run the bmc-helix-logging-deployer.sh script by using the following command:
    ./bmc-helix-logging-deployer.sh
  5. Add Splunk details in the Fluentbit configmap.
    1. Add the Splunk plugin in Fluentbit configmap by using the following command:
      kubectl edit cm fluent-bit -n <BMC Helix Logging namespace> 
    2. Remove the output plugins other than Splunk from the Fluentbit configmap.
    3. Update the Name, Match, Host, Port, Splunk_Token, and TLS parameters.
      [OUTPUT]\n Name splunk\n Match kube.*\n Host <SPLUNK_HOST>\n Port <SPLUNK_PORT>\n Splunk_Token <SPLUNK_TOKEN>\n TLS On\n TLS.Verify Off\n
      Splunk host is the service name of Splunk and the namespace.
      <svc name>.<Namespace where you have installed Splunk>

      Example: splunk-enterprise.splunk.svc.cluster.local[OUTPUT]
            Name splunk
            Match kube.*
            Host splunk-enterprise.splunk.svc.cluster.local
            Port <port>
            Splunk_Token <token>
            TLS On
            TLS.verify Off

      You may contact your Splunk administrator for the Host, Port, and Splunk_Token parameter values. Use the default values for the other parameters.

  6. Restart the Fluentbit pods.

  7. During BMC Helix Service Management installation, make sure that you specify the values for Splunk configuration parameters.

Where to go from here

Performing the BMC Helix Service Management installation

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*