Deploy
Deploy the Reporter app to Kubernetes via Helm.
The chart deploys the Reporter as a DaemonSet alongside your log forwarder — not a sidecar injected into it. The Reporter reads the same pre-SIEM event stream the forwarder sees and is not in the critical log path. Similar deployment pattern to datadog-agent or splunk-otel-collector. (For the execution arm — Filter or Compact mode sidecar alongside the forwarder — see the Regulator deploy guide.)
Step 1: Prerequisites
| Requirement | Description |
|---|---|
| Log10x License | Your license key (get one) |
| Helm | Helm CLI installed |
| kubectl | Configured to access your cluster |
| GitHub Token | Personal access token for config repo (create one) |
| Output Destination | Elasticsearch, Splunk, or other log backend configured |
Step 2: Add Helm Repository
For Kubernetes, use the Fluent Bit tab — Splunk Connect for Kubernetes is Fluent Bit-based. For VM infrastructure, see the Splunk UF reporter guide.
For Kubernetes, use the Fluent Bit or OTel Collector tab. For VM infrastructure, see the Datadog Agent reporter guide.
View all chart values:
For Kubernetes, use the Fluent Bit tab — Splunk Connect for Kubernetes is Fluent Bit-based. For VM infrastructure, see the Splunk UF reporter guide.
For Kubernetes, use the Fluent Bit or OTel Collector tab. For VM infrastructure, see the Datadog Agent reporter guide.
Step 3: Configure Deployment Settings
Create a new file called my-reporter.yaml in your working directory. This Helm values file will be used in all subsequent steps.
All 10x values are nested under the tenx block. Charts retain all original values from official Fluentd, Fluent Bit, and Filebeat charts.
For Kubernetes, use the Fluent Bit tab — Splunk Connect for Kubernetes is Fluent Bit-based. For VM infrastructure, see the Splunk UF reporter guide.
For Kubernetes, use the Fluent Bit or OTel Collector tab. For VM infrastructure, see the Datadog Agent reporter guide.
Step 4: Load Configuration
Load the 10x Engine config folder into the cluster using one of the methods below.
If you skip this step, the default configuration bundled with the Log10x image is used.
An init container clones your configuration repository before each pod starts. Works with GitHub, GitLab, Bitbucket, or any HTTPS-accessible Git provider.
- Fork the Config Repository
- Create a branch for your configuration changes
- Edit the app configuration to match your metric output
Add to your Helm values:
tenx:
config:
git:
enabled: true
url: "https://github.com/YOUR-ACCOUNT/config.git"
branch: "my-reporter-config" # Optional
# symbols: # Uncomment if using symbol library
# git:
# enabled: true
# url: "https://github.com/YOUR-ACCOUNT/symbols.git"
gitToken: "YOUR-GIT-TOKEN"
For production, store the token in a Kubernetes Secret rather than in the values file.
Mount an existing PersistentVolumeClaim that contains your configuration directory. This approach works in air-gapped environments and requires no external network access.
- Create a PVC containing your configuration files (cloned from the Config Repository)
- Reference it in your Helm values:
Step 5: Configure Secrets
Store sensitive credentials in Kubernetes Secrets. Only add secrets for metric outputs you've configured.
Create the secret:
kubectl create secret generic reporter-credentials \
--from-literal=elasticsearch-username=elastic \
--from-literal=elasticsearch-password=YOUR_ES_PASSWORD \
--from-literal=datadog-api-key=YOUR_DATADOG_API_KEY
Note: Only include credentials for outputs you've configured.
Add secret references to your my-reporter.yaml:
daemonset:
extraEnvs:
# For Elasticsearch output
- name: ELASTICSEARCH_USERNAME
valueFrom:
secretKeyRef:
name: reporter-credentials
key: elasticsearch-username
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: reporter-credentials
key: elasticsearch-password
# For Datadog metrics (optional)
# - name: DD_API_KEY
# valueFrom:
# secretKeyRef:
# name: reporter-credentials
# key: datadog-api-key
For Kubernetes, use the Fluent Bit tab — Splunk Connect for Kubernetes is Fluent Bit-based. For VM infrastructure, see the Splunk UF reporter guide.
For Kubernetes, use the Fluent Bit or OTel Collector tab. For VM infrastructure, see the Datadog Agent reporter guide.
Step 6: Forwarder
Configure which events are sent to the 10x reporter and define output destinations.
Add forwarder configuration to your my-reporter.yaml:
Configure your output destination. The chart automatically routes events through the reporter.
Note: The Log10x chart automatically configures event routing through the reporter.
daemonset:
filebeatConfig:
filebeat.yml: |
filebeat.inputs:
- type: filestream
id: tenx_internal
paths:
- /var/log/tenx/*.log
fields:
log_type: tenx_internal
- type: container
paths:
- /var/log/containers/*.log
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
output.elasticsearch:
hosts: '["https://elasticsearch-master:9200"]'
username: '${ELASTICSEARCH_USERNAME}'
password: '${ELASTICSEARCH_PASSWORD}'
indices:
- index: "tenx_internal"
when.equals:
fields.log_type: "tenx_internal"
- index: "logs-%{+yyyy.MM.dd}"
The Log10x Reporter receives logs via Unix socket. Configure OTel Collector to send logs to the Reporter and continue emitting to its own output.
mode: "daemonset"
config:
receivers:
filelog:
include: [/var/log/pods/*/*/*.log]
operators:
- type: container
id: container-parser
exporters:
elasticsearch:
endpoints: ["https://elasticsearch-master:9200"]
logs_index: logs
service:
pipelines:
logs:
receivers: [filelog]
processors: [memory_limiter, batch]
exporters: [elasticsearch]
Note: The Log10x chart automatically configures Reporter IPC. The above shows your standard OTel Collector config for log collection and output.
Configure Logstash pipeline for log collection and output.
logstashPipeline:
logstash.conf: |
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["elasticsearch-master:9200"]
index => "logs-%{+YYYY.MM.dd}"
}
}
Note: The Log10x chart automatically configures Reporter IPC. Configure your standard Logstash input/output above.
For Kubernetes, use the Fluent Bit tab — Splunk Connect for Kubernetes is Fluent Bit-based. For VM infrastructure, see the Splunk UF reporter guide.
For Kubernetes, use the Fluent Bit or OTel Collector tab. For VM infrastructure, see the Datadog Agent reporter guide.
Step 7: Deploy
Create your namespace (if needed) and deploy:
For Kubernetes, use the Fluent Bit tab — Splunk Connect for Kubernetes is Fluent Bit-based. For VM infrastructure, see the Splunk UF reporter guide.
For Kubernetes, use the Fluent Bit or OTel Collector tab. For VM infrastructure, see the Datadog Agent reporter guide.
Step 8: Verify
Verify the install in three phases: pods Ready → 10x processor alive → events flowing end-to-end. A probe passes when its commands exit 0 and match the expected output.
Phase A — pods Ready
The selector depends on the forwarder chart family. log10x-fluent/* and log10x-otel/* charts use the k8s-recommended label set; log10x-elastic/* charts use legacy Helm labels.
Phase B — 10x processor alive
Look for pattern/metric lines in the forwarder container (10x runs inside the forwarder image for all log10x-repackaged charts — there's no separate tenx sidecar).
Phase C — events flowing to destination
For mock output (development/smoke-test — writes to forwarder stdout with a TENX-MOCK prefix):
For a real destination, check the Reporter Dashboard (see below) and the destination's own UI (Elasticsearch index, Splunk sourcetype, Datadog logs view).
View results in the dashboard:
Once running, view your cost analytics in the Reporter Dashboard.
Step 9: Teardown
Uninstall the Helm release:
Clean up derived resources:
Helm does not reap PVCs or Secrets created outside the release. Use the chart family's label convention:
Verify nothing remains:
Delete the namespace (optional):
Quickstart Full Sample
tenx:
enabled: true
apiKey: "YOUR-LICENSE-KEY-HERE"
kind: "report"
runtimeName: "my-fluentd-reporter"
github:
config:
enabled: true
token: "YOUR-GITHUB-TOKEN"
repo: "YOUR-ACCOUNT/REPO-NAME"
outputConfigs:
06_final_output.conf: |-
<label @FINAL-OUTPUT>
<match **>
@type elasticsearch
host "elasticsearch-master"
port 9200
</match>
</label>
tenx:
enabled: true
apiKey: "YOUR-LICENSE-KEY-HERE"
kind: "report"
runtimeName: "my-filebeat-reporter"
github:
config:
enabled: true
token: "YOUR-GITHUB-TOKEN"
repo: "YOUR-ACCOUNT/REPO-NAME"
daemonset:
filebeatConfig:
filebeat.yml: |
filebeat.inputs:
- type: filestream
id: tenx_internal
paths:
- /var/log/tenx/*.log
fields:
log_type: tenx_internal
- type: container
paths:
- /var/log/containers/*.log
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
output.elasticsearch:
hosts: '["https://elasticsearch-master:9200"]'
indices:
- index: "tenx_internal"
when.equals:
fields.log_type: "tenx_internal"
- index: "logs-%{+yyyy.MM.dd}"
mode: "daemonset"
tenx:
enabled: true
apiKey: "YOUR-LICENSE-KEY-HERE"
kind: "report"
runtimeName: "my-otel-reporter"
github:
config:
enabled: true
token: "YOUR-GITHUB-TOKEN"
repo: "YOUR-ACCOUNT/REPO-NAME"
config:
exporters:
elasticsearch:
endpoints: ["https://elasticsearch-master:9200"]
logs_index: logs
service:
pipelines:
logs:
receivers: [filelog]
processors: [memory_limiter, batch]
exporters: [elasticsearch]
tenx:
enabled: true
apiKey: "YOUR-LICENSE-KEY-HERE"
kind: "report"
runtimeName: "my-logstash-reporter"
github:
config:
enabled: true
token: "YOUR-GITHUB-TOKEN"
repo: "YOUR-ACCOUNT/REPO-NAME"
# Logstash pipeline for final destination
logstashPipeline:
output.conf: |
output {
elasticsearch {
hosts => ["elasticsearch-master:9200"]
index => "logs"
}
}
For Kubernetes, use the Fluent Bit tab — Splunk Connect for Kubernetes is Fluent Bit-based. For VM infrastructure, see the Splunk UF reporter guide.
For Kubernetes, use the Fluent Bit or OTel Collector tab. For VM infrastructure, see the Datadog Agent reporter guide.
Splunk HEC Output Examples
To send events to Splunk instead of Elasticsearch, use Splunk HEC (HTTP Event Collector) output.
tenx:
enabled: true
apiKey: "YOUR-LICENSE-KEY-HERE"
kind: "report"
runtimeName: "my-fluentbit-reporter"
github:
config:
enabled: true
token: "YOUR-GITHUB-TOKEN"
repo: "YOUR-ACCOUNT/REPO-NAME"
config:
outputs: |
[OUTPUT]
Name splunk
Match *
Host splunk-hec.example.com
Port 8088
TLS On
Splunk_Token YOUR-SPLUNK-HEC-TOKEN
tenx:
enabled: true
apiKey: "YOUR-LICENSE-KEY-HERE"
kind: "report"
runtimeName: "my-fluentd-reporter"
github:
config:
enabled: true
token: "YOUR-GITHUB-TOKEN"
repo: "YOUR-ACCOUNT/REPO-NAME"
fileConfigs:
output.conf: |
<match **>
@type splunk_hec
hec_host splunk-hec.example.com
hec_port 8088
hec_token YOUR-SPLUNK-HEC-TOKEN
use_ssl true
</match>
tenx:
enabled: true
apiKey: "YOUR-LICENSE-KEY-HERE"
kind: "report"
runtimeName: "my-filebeat-reporter"
github:
config:
enabled: true
token: "YOUR-GITHUB-TOKEN"
repo: "YOUR-ACCOUNT/REPO-NAME"
daemonset:
filebeatConfig:
filebeat.yml: |
filebeat.autodiscover:
providers:
- type: kubernetes
hints.enabled: true
output.elasticsearch:
enabled: false
output.logstash:
enabled: false
# Filebeat doesn't have native Splunk HEC output
# Use Logstash as intermediary or output to file/kafka
Note
Filebeat doesn't have native Splunk HEC support. Consider using Logstash as an intermediary, or use the Kafka output with Splunk Connect for Kafka.
tenx:
enabled: true
apiKey: "YOUR-LICENSE-KEY-HERE"
kind: "report"
runtimeName: "my-otel-reporter"
github:
config:
enabled: true
token: "YOUR-GITHUB-TOKEN"
repo: "YOUR-ACCOUNT/REPO-NAME"
config:
exporters:
splunk_hec:
token: "YOUR-SPLUNK-HEC-TOKEN"
endpoint: "https://splunk-hec.example.com:8088/services/collector"
source: "otel"
sourcetype: "otel"
service:
pipelines:
logs:
receivers: [filelog]
processors: [memory_limiter, batch]
exporters: [splunk_hec]
tenx:
enabled: true
apiKey: "YOUR-LICENSE-KEY-HERE"
kind: "report"
runtimeName: "my-logstash-reporter"
github:
config:
enabled: true
token: "YOUR-GITHUB-TOKEN"
repo: "YOUR-ACCOUNT/REPO-NAME"
logstashPipeline:
output.conf: |
output {
http {
url => "https://splunk-hec.example.com:8088/services/collector"
http_method => "post"
format => "json"
headers => {
"Authorization" => "Splunk YOUR-SPLUNK-HEC-TOKEN"
}
}
}