With the MO of “get all into splunk or else” – ran into some OCP/k8 challenges aggregating all logs to get to splunk. Nothing native in OCP..
So digging around:
various options dealing with aggregation to include container logs.
k8 logging — https://kubernetes.io/docs/user-guide/logging/overview/
OCP-EFK — https://docs.openshift.com/container-platform/3.4/install_config/aggregate_logging.html
Nice OCP Logging Overview – http://playbooks-rhtconsulting.rhcloud.com/playbooks/installation/logging.html
Have a Splunk agent on the nodes is great but doesn’t capture the container logs. So leverage the EFK stack – where it aggregates — fluentd.
Using the fleuntd secure forward plugin (SFP) to forward EFK logs to an external fluentd which has the fluentd file output plugin which gets picked up by the Splunk forwarding agent.