Installation
With our solution for QRadar, you can start forwarding logs from your clusters in under 10 minutes, including forwarding metadata-enriched container logs, host logs, and audit logs. You can request an evaluation license that valid for the 30 days.
Install Collector for Kubernetes / OpenShift
Installation
Use latest Kubernetes configuration file
collectorforkubernetes-syslog.yaml, or specific for OpenShift configuration
collectorforopenshift-syslog.yaml.
This configuration deploys multiple workloads under collectorforkubernetes-syslog (collectorforopenshift-syslog) namespace.
Open it in your favorite editor and specify syslog server, review and accept a license agreement and include license key (request an evaluation license key with this automated form).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | [general] acceptLicense = false license = fields.cluster = - ... # Syslog output [output.syslog] address = |
For example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | [general] acceptLicense = true license = ... fields.cluster = development ... # Syslog output [output.syslog] address = 192.168.1.100:514 |
If you are planning to deploy Collectord on a cluster, which was running for a while, and has a lot of logs stored on the disk, Collectord will forward all the logs, which can disturb your cluster. You can configure under
[general]valuesthruputPerSecondortooOldEventsto configure the amount of logs you want to forward per second, and which events Collectord should skip.
Apply this change to your Kubernetes cluster with kubectl
$ kubectl apply -f ./collectorforkubernetes-syslog.yaml
Or to OpenShift cluster with
$ oc apply -f ./collectorforopenshift-syslog.yaml
In case of OpenShift add collectorforopenshift-syslog to privileged role.
$ oc adm policy add-scc-to-user privileged system:serviceaccount:collectorforopenshift-syslog:collectorforopenshift-syslog
Verify the workloads.
$ kubectl get all --namespace collectorforkubernetes-syslog
Or with OpenShift
$ oc get all --namespace collectorforopenshift-syslog
Give it a few moments to download the image and start the containers. After all the pods are deployed, go to the QRadar and you should see the data.
The collectord forwards by default container logs, host logs (including syslog) and audit logs (if enabled)
Links
-
Installation
- Forwarding container logs, application logs, host logs and audit logs
- Test our solution with the embedded 30 days evaluation license.
-
Collector Configuration (Kubernetes)
- Collector configuration reference for Kubernetes clusters.
-
Collector Configuration (OpenShift)
- Collector configuration reference for OpenShift clusters.
-
Annotations
- Changing type and format of messages forwarded from namespaces, workloads and pods.
- Forwarding application logs.
- Multi-line container logs.
- Fields extraction for application and container logs (including timestamp extractions).
- Hiding sensitive data, stripping terminal escape codes and colors.
-
Audit Logs
- Configure audit logs.
- Forwarding audit logs.
- Troubleshooting
- FAQ and the common questions
- License agreement
- Pricing
- Contact
