Integrate Splunk as logdrain

[adborden]

User Story

As a Data.gov operator, I want all platform and application logs to stream to Splunk so that I can easily search across all events of the Data.gov platform without having to maintain our own loggin infrastructure.

Details

BSP has Splunk available

Acceptance Criteria

• [ ] Application logs drain to Splunk
• [ ] Host logs drain to splunk
  • nginx/apache2
  • syslog
  • auth

[adborden]

BSP has said they would be able to provide this but have not been able to deliver. They sent instructions for RHEL, but have yet to respond on if they can provide Ubuntu instructions or a .deb package.

[adborden]

From BSP:

Use Splunk Forwarder v 7.3.4 to be in line with the rest of Splunk. He can get the UF from: https://www.splunk.com/page/previous_releases/universalforwarder.

After installing the UF on the host, he will need to make sure to connect the UF to Splunk Deployment Server by running this command:

/opt/splunkforwarder/bin/splunk set deploy-poll \<splunk-endpoint>

Afterwards, if there are specific host logs that he is wanting to send into Splunk he will need to provide the local paths for those logs and I will push out a config package to his UFs.

Hope this provides some help so there can be some traction.

[adborden]

Moving to New for us to re-triage. Is this something we want to take on now? Worth a spike?

[nickumia-reisys]

• https://github.com/GSA/data.gov/issues/3710
• https://github.com/GSA/data.gov/issues/3062