How to configure TFE (FDO ) to forward logs to Splunk – HashiCorp Help Center

Introduction

Forwarding logs from Terraform Enterprise to Splunk enables robust monitoring, analysis, and alerting for your environment. This integration allows you to gain deep insights into your Terraform runs, track system performance, and proactively identify issues using Splunk's powerful search and visualization capabilities.

This guide provides the steps to configure a Terraform Enterprise instance using Flexible Deployment Options (FDO) to send its logs to Splunk.

Expected Outcome

Terraform Enterprise logs are successfully forwarded to your Splunk instance.
You can monitor and analyze Terraform Enterprise logs in real-time within Splunk.

Prerequisites

An active Terraform Enterprise instance deployed using Flexible Deployment Options (FDO) with Docker.
A Splunk account with an index created to receive the logs.
Access to the Terraform Enterprise host machine.

Use Case

The goal is to send Terraform Enterprise logs to Splunk for centralized monitoring, enhanced analysis, and long-term retention.

Procedure

Create the Splunk configuration file.

Log in to the Terraform Enterprise host machine and create a configuration file named splunk.conf. The [FILTER] section is optional but recommended, as it tags messages with a hostname for easier filtering in Splunk.

Replace the placeholder values for hostname, Host, and Splunk_Token with your specific details.
```
## splunk.conf

[FILTER]
  Name    modify
  Match   *
  Add     hostname <NAME_OF_HOST>

[OUTPUT]
  Name         splunk
  Match        *
  Host         your-splunk-instance.splunkcloud.com
  Port         8088
  Splunk_Token YOUR_SPLUNK_TOKEN
  tls          On
  tls.verify   Off
  event_host   hostname
```
Update the compose.yaml file.

Modify your existing compose.yaml file to enable log forwarding and mount the splunk.conf file into the container. Add the following environment variables and volume mount configuration.
- TFE_LOG_FORWARDING_CONFIG_PATH: The path inside the container where Terraform Enterprise will look for the configuration file.
- source: The path on the host machine where you saved splunk.conf.
- target: The path inside the container where the file will be mounted. This must match the value of TFE_LOG_FORWARDING_CONFIG_PATH.
```
## compose.yaml

services:
  tfe:
    image: TFE_IMAGE
    # ... other configurations
    environment:
      # ... other environment variables
      TFE_LOG_FORWARDING_ENABLED: "true"
      TFE_LOG_FORWARDING_CONFIG_PATH: /var/tmp/splunk_config/splunk.conf
      TFE_METRICS_ENABLE: "true"
      TFE_METRICS_HTTP_PORT: "9090"
      TFE_METRICS_HTTPS_PORT: "9091"
    volumes:
      # ... other volumes
      - type: bind
        source: /path/on/host/to/splunk.conf
        target: /var/tmp/splunk_config/splunk.conf
```

Restart Terraform Enterprise and verify the configuration.

Apply the changes by restarting your Terraform Enterprise instance. After it initializes, connect to the container and run the following command to confirm that the log forwarding settings were loaded correctly.

$ tfectl app config | grep "log_forwarding" -A4

The output should display your Splunk configuration details.

## Output

"log_forwarding": {
"ConfigData": "[FILTER]\n  Name    modify\n  Match   *\n  Add     hostname <NAME_OF_HOST>\n\n[OUTPUT]\n  Name         splunk\n  Match        *\n  Host         your-splunk-instance.splunkcloud.com\n  Port         8088\n  Splunk_Token YOUR_SPLUNK_TOKEN\n  tls          On\n  tls.verify   Off\n  event_host   hostname\n",
"config_path": "/var/tmp/splunk_config/splunk.conf",
"enabled": true
},

Confirm logs in Splunk.

Navigate to your Splunk instance and verify that logs from Terraform Enterprise are appearing in the designated index.

Additional Information

For more details on logging configurations, refer to the Supported External Log Destinations documentation.