āĻ¸ā§āĻĒā§āĻ˛āĻā§āĻ āĻšāĻ˛ āĻŦā§āĻļ āĻāĻ¯āĻŧā§āĻāĻāĻŋ āĻ¸ā§āĻŦā§āĻā§āĻ¤ āĻŦāĻžāĻŖāĻŋāĻā§āĻ¯āĻŋāĻ āĻ˛āĻ āĻ¸āĻāĻā§āĻ°āĻš āĻāĻŦāĻ āĻŦāĻŋāĻļā§āĻ˛ā§āĻˇāĻŖ āĻĒāĻŖā§āĻ¯āĻā§āĻ˛āĻŋāĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻāĻāĻāĻŋāĨ¤ āĻāĻŽāĻ¨āĻāĻŋ āĻāĻāĻ¨, āĻ¯āĻāĻ¨ āĻŦāĻŋāĻā§āĻ°āĻ¯āĻŧ āĻāĻ° āĻ°āĻžāĻļāĻŋāĻ¯āĻŧāĻžāĻ¯āĻŧ āĻāĻ°āĻž āĻšāĻ¯āĻŧ āĻ¨āĻž, āĻ¤āĻāĻ¨ āĻāĻ āĻĒāĻŖā§āĻ¯āĻāĻŋāĻ° āĻāĻ¨ā§āĻ¯ āĻ¨āĻŋāĻ°ā§āĻĻā§āĻļāĻ¨āĻž/āĻā§āĻāĻžāĻŦā§ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§ āĻ¨āĻž āĻ˛ā§āĻāĻžāĻ° āĻāĻžāĻ°āĻŖ āĻ¨āĻ¯āĻŧāĨ¤
āĻāĻžāĻā§āĻ°: āĻšā§āĻ¸ā§āĻ āĻŽā§āĻļāĻŋāĻ¨ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ āĻĒāĻ°āĻŋāĻŦāĻ°ā§āĻ¤āĻ¨ āĻ¨āĻž āĻāĻ°ā§ āĻ¸ā§āĻĒā§āĻ˛āĻā§āĻā§ āĻĄāĻāĻžāĻ° āĻ¨ā§āĻĄ āĻĨā§āĻā§ āĻ¸āĻŋāĻ¸ā§āĻā§āĻŽ āĻ˛āĻ āĻ¸āĻāĻā§āĻ°āĻš āĻāĻ°ā§āĻ¨
āĻāĻŽāĻŋ āĻ
āĻĢāĻŋāĻ¸āĻŋāĻ¯āĻŧāĻžāĻ˛ āĻĒāĻĻā§āĻ§āĻ¤āĻŋāĻ° āĻ¸āĻžāĻĨā§ āĻļā§āĻ°ā§ āĻāĻ°āĻ¤ā§ āĻāĻžāĻ, āĻ¯āĻž āĻĄāĻāĻžāĻ° āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻžāĻ° āĻ¸āĻŽāĻ¯āĻŧ āĻāĻŋāĻā§āĻāĻž āĻ
āĻĻā§āĻā§āĻ¤ āĻĻā§āĻāĻžāĻ¯āĻŧāĨ¤
āĻāĻŽāĻžāĻĻā§āĻ° āĻāĻŋ āĻāĻā§:
1. āĻĒā§āĻ˛āĻŋāĻŽ āĻāĻŽā§āĻ
$ docker pull splunk/universalforwarder:latest
2. āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ā§āĻ¯āĻŧ āĻĒāĻ°āĻžāĻŽāĻŋāĻ¤āĻŋ āĻĻāĻŋāĻ¯āĻŧā§ āĻ§āĻžāĻ°āĻ āĻļā§āĻ°ā§ āĻāĻ°ā§āĻ¨
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest
3. āĻāĻŽāĻ°āĻž āĻĒāĻžāĻ¤ā§āĻ°ā§ āĻ¯āĻžāĻ¨
docker exec -it <container-id> /bin/bash
āĻāĻ°āĻĒāĻ°ā§, āĻĄāĻā§āĻŽā§āĻ¨ā§āĻā§āĻļāĻ¨ā§ āĻāĻŽāĻžāĻĻā§āĻ° āĻĒāĻ°āĻŋāĻāĻŋāĻ¤ āĻ āĻŋāĻāĻžāĻ¨āĻžāĻ¯āĻŧ āĻ¯ā§āĻ¤ā§ āĻŦāĻ˛āĻž āĻšāĻ¯āĻŧāĨ¤
āĻāĻŦāĻ āĻāĻāĻŋ āĻļā§āĻ°ā§ āĻšāĻāĻ¯āĻŧāĻžāĻ° āĻĒāĻ°ā§ āĻ§āĻžāĻ°āĻāĻāĻŋ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ° āĻāĻ°ā§āĻ¨:
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
āĻ āĻĒā§āĻā§āĻˇāĻž āĻāĻ°ā§āĻ¨āĨ¤ āĻāĻŋ?
āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻāĻŽāĻ āĻ¸ā§āĻāĻžāĻ¨ā§āĻ āĻļā§āĻˇ āĻšāĻ¯āĻŧ āĻ¨āĻžāĨ¤ āĻāĻĒāĻ¨āĻŋ āĻ¯āĻĻāĻŋ āĻ āĻĢāĻŋāĻ¸āĻŋāĻ¯āĻŧāĻžāĻ˛ āĻāĻŽā§āĻ āĻĨā§āĻā§ āĻāĻ¨ā§āĻāĻžāĻ°ā§āĻā§āĻāĻŋāĻ āĻŽā§āĻĄā§ āĻ§āĻžāĻ°āĻāĻāĻŋ āĻāĻžāĻ˛āĻžāĻ¨, āĻāĻĒāĻ¨āĻŋ āĻ¨āĻŋāĻŽā§āĻ¨āĻ˛āĻŋāĻāĻŋāĻ¤āĻā§āĻ˛āĻŋ āĻĻā§āĻāĻ¤ā§ āĻĒāĻžāĻŦā§āĻ¨:
āĻāĻŋāĻā§āĻāĻž āĻšāĻ¤āĻžāĻļāĻž
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
ĐŊŅ и ŅĐ°Đē Đ´Đ°ĐģĐĩĐĩ...
āĻĻāĻžāĻ°ā§āĻŖāĨ¤ āĻāĻŽā§āĻ āĻāĻŽāĻ¨āĻāĻŋ āĻāĻāĻāĻŋ āĻāĻ°ā§āĻāĻŋāĻĢā§āĻ¯āĻžāĻā§āĻ āĻ§āĻžāĻ°āĻŖ āĻāĻ°ā§ āĻ¨āĻž. āĻ
āĻ°ā§āĻĨāĻžā§, āĻāĻĒāĻ¨āĻŋ āĻ¯āĻ¤āĻŦāĻžāĻ° āĻļā§āĻ°ā§ āĻāĻ°āĻŦā§āĻ¨ āĻ¤āĻ¤āĻŦāĻžāĻ° āĻŦāĻžāĻāĻ¨āĻžāĻ°āĻŋ, āĻāĻ¨āĻĒā§āĻ¯āĻžāĻ āĻāĻŦāĻ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ° āĻ¸āĻš āĻ¸āĻāĻ°āĻā§āĻˇāĻŖāĻžāĻāĻžāĻ° āĻĄāĻžāĻāĻ¨āĻ˛ā§āĻĄ āĻāĻ°āĻ¤ā§ āĻ¸āĻŽāĻ¯āĻŧ āĻ˛āĻžāĻāĻŦā§āĨ¤
āĻāĻŋ āĻĄāĻāĻžāĻ°-āĻāĻ¯āĻŧā§ āĻāĻŦāĻ āĻ¯ā§ āĻ¸āĻŦ āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§?
āĻ¨āĻž āĻ§āĻ¨ā§āĻ¯āĻŦāĻžāĻĻ. āĻāĻŽāĻ°āĻž āĻāĻāĻāĻŋ āĻāĻŋāĻ¨ā§āĻ¨ āĻ°ā§āĻ āĻ¨āĻŋāĻ¤ā§ āĻšāĻŦā§. āĻ¯āĻĻāĻŋ āĻāĻŽāĻ°āĻž āĻ¸āĻŽāĻžāĻŦā§āĻļ āĻĒāĻ°ā§āĻ¯āĻžāĻ¯āĻŧā§ āĻāĻ āĻ¸āĻŽāĻ¸ā§āĻ¤ āĻ āĻĒāĻžāĻ°ā§āĻļāĻ¨ āĻ¸āĻā§āĻāĻžāĻ˛āĻ¨? āĻ¤āĻžāĻšāĻ˛ā§ āĻāĻ˛ā§ āĻ¯āĻžāĻ!
āĻā§āĻŦ āĻŦā§āĻļāĻŋ āĻĻā§āĻ°āĻŋ āĻ¨āĻž āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯, āĻāĻŽāĻŋ āĻāĻāĻ¨āĻ āĻāĻĒāĻ¨āĻžāĻā§ āĻā§āĻĄāĻŧāĻžāĻ¨ā§āĻ¤ āĻāĻŋāĻ¤ā§āĻ°āĻāĻŋ āĻĻā§āĻāĻžāĻŦ:
Dockerfile
# ĐĸŅŅ Ņ ĐēĐžĐŗĐž ĐēĐ°ĐēиĐĩ ĐŋŅĐĩĐ´ĐŋĐžŅŅĐĩĐŊиŅ
FROM centos:7
# ĐĐ°Đ´Đ°ŅĐŧ ĐŋĐĩŅĐĩĐŧĐĩĐŊĐŊŅĐĩ, ŅŅОйŅ ĐēĐ°ĐļĐ´ŅĐš ŅаС ĐŋŅи ŅŅĐ°ŅŅĐĩ ĐŊĐĩ ŅĐēаСŅваŅŅ иŅ
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# ĐĄŅавиĐŧ ĐŋĐ°ĐēĐĩŅŅ
# wget - ŅŅОйŅ ŅĐēĐ°ŅĐ°ŅŅ Đ°ŅŅĐĩŅĐ°ĐēŅŅ
# expect - ĐŋĐžĐŊадОйиŅŅŅ Đ´ĐģŅ ĐŋĐĩŅвОĐŊĐ°ŅĐ°ĐģŅĐŊĐžĐŗĐž СаĐŋŅŅĐēĐ° Splunk ĐŊĐ° ŅŅĐ°ĐŋĐĩ ŅйОŅĐēи
# jq - иŅĐŋĐžĐģŅСŅĐĩŅŅŅ в ŅĐēŅиĐŋŅĐ°Ņ
, ĐēĐžŅĐžŅŅĐĩ ŅОйиŅĐ°ŅŅ ŅŅĐ°ŅиŅŅиĐēŅ Đ´ĐžĐēĐĩŅĐ°
RUN yum install -y epel-release
&& yum install -y wget expect jq
# ĐĐ°ŅĐ°ĐĩĐŧ, ŅĐ°ŅĐŋĐ°ĐēОвŅваĐĩĐŧ, ŅĐ´Đ°ĐģŅĐĩĐŧ
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# ĐĄ shell ŅĐēŅиĐŋŅĐ°Đŧи вŅŅ ĐŋĐžĐŊŅŅĐŊĐž, Đ° вОŅ inputs.conf, splunkclouduf.spl и first_start.sh ĐŊŅĐļĐ´Đ°ŅŅŅŅ в ĐŋĐžŅŅĐŊĐĩĐŊии. ĐĐą ŅŅĐžĐŧ ŅĐ°ŅŅĐēĐ°ĐļŅ ĐŋĐžŅĐģĐĩ source ŅŅĐŗĐ°.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# ĐĐ°ŅĐŧ ĐŋŅава ĐŊĐ° иŅĐŋĐžĐģĐŊĐĩĐŊиĐĩ, дОйавĐģŅĐĩĐŧ ĐŋĐžĐģŅСОваŅĐĩĐģŅ и вŅĐŋĐžĐģĐŊŅĐĩĐŧ ĐŋĐĩŅвОĐŊĐ°ŅĐ°ĐģŅĐŊŅŅ ĐŊĐ°ŅŅŅОКĐēŅ
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# ĐĐžĐŋиŅŅĐĩĐŧ иĐŊиŅ ŅĐēŅиĐŋŅŅ
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# ĐĐž ĐļĐĩĐģĐ°ĐŊиŅ. ĐĐžĐŧŅ ĐŊŅĐļĐŊĐž ĐģĐžĐēĐ°ĐģŅĐŊĐž иĐŧĐĩŅŅ ĐēĐžĐŊŅиĐŗи/ĐģĐžĐŗи, ĐēĐžĐŧŅ ĐŊĐĩŅ.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]
āĻ¤āĻžāĻ āĻāĻŋ āĻ¨āĻŋāĻšāĻŋāĻ¤ āĻāĻā§
first_start.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eof
āĻĒā§āĻ°āĻĨāĻŽ āĻļā§āĻ°ā§āĻ¤ā§, āĻ¸ā§āĻĒā§āĻ˛āĻā§āĻ āĻāĻĒāĻ¨āĻžāĻā§ āĻāĻāĻāĻŋ āĻ˛āĻāĻāĻ¨/āĻĒāĻžāĻ¸āĻāĻ¯āĻŧāĻžāĻ°ā§āĻĄ āĻĻāĻŋāĻ¤ā§ āĻŦāĻ˛ā§, āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻāĻ āĻĄā§āĻāĻž āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻž āĻšāĻ¯āĻŧ āĻļā§āĻ§ā§āĻŽāĻžāĻ¤ā§āĻ° āĻ¸ā§āĻ āĻ¨āĻŋāĻ°ā§āĻĻāĻŋāĻˇā§āĻ āĻāĻ¨āĻ¸ā§āĻāĻ˛ā§āĻļāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻĒā§āĻ°āĻļāĻžāĻ¸āĻ¨āĻŋāĻ āĻāĻŽāĻžāĻ¨ā§āĻĄ āĻāĻžāĻ˛āĻžāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯, āĻ āĻ°ā§āĻĨāĻžā§ āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ°ā§āĻ° āĻāĻŋāĻ¤āĻ°ā§āĨ¤ āĻāĻŽāĻžāĻĻā§āĻ° āĻā§āĻˇā§āĻ¤ā§āĻ°ā§, āĻāĻŽāĻ°āĻž āĻā§āĻŦāĻ˛ āĻĒāĻžāĻ¤ā§āĻ°āĻāĻŋ āĻāĻžāĻ˛ā§ āĻāĻ°āĻ¤ā§ āĻāĻžāĻ āĻ¯āĻžāĻ¤ā§ āĻ¸āĻŦāĻāĻŋāĻā§ āĻāĻžāĻ āĻāĻ°ā§ āĻāĻŦāĻ āĻ˛āĻāĻā§āĻ˛āĻŋ āĻ¨āĻĻā§āĻ° āĻŽāĻ¤ā§ āĻĒā§āĻ°āĻŦāĻžāĻšāĻŋāĻ¤ āĻšāĻ¯āĻŧāĨ¤ āĻ āĻŦāĻļā§āĻ¯āĻ, āĻāĻāĻŋ āĻšāĻžāĻ°ā§āĻĄāĻā§āĻĄ, āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻāĻŽāĻŋ āĻ āĻ¨ā§āĻ¯ āĻā§āĻ¨ āĻāĻĒāĻžāĻ¯āĻŧ āĻā§āĻāĻā§ āĻĒāĻžāĻāĻ¨āĻŋāĨ¤
āĻāĻ°āĻ āĻ¸ā§āĻā§āĻ°āĻŋāĻĒā§āĻ āĻ āĻ¨ā§āĻ¯āĻžāĻ¯āĻŧā§ āĻŽā§āĻ¤ā§āĻ¯ā§āĻĻāĻ¨ā§āĻĄ āĻāĻžāĻ°ā§āĻ¯āĻāĻ° āĻāĻ°āĻž āĻšāĻ¯āĻŧ
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
splunkclouduf.spl â āĻāĻāĻŋ āĻ¸ā§āĻĒā§āĻ˛āĻā§āĻ āĻāĻāĻ¨āĻŋāĻāĻžāĻ°ā§āĻ¸āĻžāĻ˛ āĻĢāĻ°āĻāĻ¯āĻŧāĻžāĻ°ā§āĻĄāĻžāĻ°ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻāĻāĻāĻŋ āĻļāĻāĻ¸āĻžāĻĒāĻ¤ā§āĻ° āĻĢāĻžāĻāĻ˛, āĻ¯āĻž āĻāĻ¯āĻŧā§āĻŦ āĻāĻ¨ā§āĻāĻžāĻ°āĻĢā§āĻ¸ āĻĨā§āĻā§ āĻĄāĻžāĻāĻ¨āĻ˛ā§āĻĄ āĻāĻ°āĻž āĻ¯ā§āĻ¤ā§ āĻĒāĻžāĻ°ā§āĨ¤
āĻĄāĻžāĻāĻ¨āĻ˛ā§āĻĄ āĻāĻ°āĻ¤ā§ āĻā§āĻĨāĻžāĻ¯āĻŧ āĻā§āĻ˛āĻŋāĻ āĻāĻ°āĻŦā§āĻ¨ (āĻāĻŦāĻŋāĻ¤ā§)
āĻāĻāĻŋ āĻāĻāĻāĻŋ āĻ¨āĻŋāĻ¯āĻŧāĻŽāĻŋāĻ¤ āĻ¸āĻāĻ°āĻā§āĻˇāĻŖāĻžāĻāĻžāĻ° āĻ¯āĻž āĻāĻ¨āĻĒā§āĻ¯āĻžāĻ āĻāĻ°āĻž āĻ¯ā§āĻ¤ā§ āĻĒāĻžāĻ°ā§āĨ¤ āĻāĻŋāĻ¤āĻ°ā§ āĻāĻŽāĻžāĻĻā§āĻ° āĻ¸ā§āĻĒā§āĻ˛āĻā§āĻāĻā§āĻ˛āĻžāĻāĻĄā§āĻ° āĻ¸āĻžāĻĨā§ āĻ¸āĻāĻ¯ā§āĻ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻļāĻāĻ¸āĻžāĻĒāĻ¤ā§āĻ° āĻāĻŦāĻ āĻāĻāĻāĻŋ āĻĒāĻžāĻ¸āĻāĻ¯āĻŧāĻžāĻ°ā§āĻĄ āĻ°āĻ¯āĻŧā§āĻā§ outputs.conf āĻāĻŽāĻžāĻĻā§āĻ° āĻāĻ¨āĻĒā§āĻ āĻāĻĻāĻžāĻšāĻ°āĻŖāĻā§āĻ˛āĻŋāĻ° āĻāĻāĻāĻŋ āĻ¤āĻžāĻ˛āĻŋāĻāĻž āĻ¸āĻšāĨ¤ āĻāĻ āĻĢāĻžāĻāĻ˛āĻāĻŋ āĻĒā§āĻ°āĻžāĻ¸āĻā§āĻāĻŋāĻ āĻšāĻŦā§ āĻ¯āĻ¤āĻā§āĻˇāĻŖ āĻ¨āĻž āĻāĻĒāĻ¨āĻŋ āĻāĻĒāĻ¨āĻžāĻ° āĻ¸ā§āĻĒā§āĻ˛āĻā§āĻ āĻāĻ¨āĻ¸ā§āĻāĻ˛ā§āĻļāĻ¨ āĻĒā§āĻ¨āĻ°āĻžāĻ¯āĻŧ āĻāĻ¨āĻ¸ā§āĻāĻ˛ āĻāĻ°ā§āĻ¨ āĻŦāĻž āĻāĻ¨āĻ¸ā§āĻāĻ˛ā§āĻļāĻ¨ āĻ
āĻ¨-āĻĒā§āĻ°āĻŋāĻŽāĻžāĻāĻ āĻšāĻ˛ā§ āĻāĻāĻāĻŋ āĻāĻ¨āĻĒā§āĻ āĻ¨ā§āĻĄ āĻ¯ā§āĻ āĻāĻ°ā§āĻ¨āĨ¤ āĻ
āĻ¤āĻāĻŦ, āĻĒāĻžāĻ¤ā§āĻ°ā§āĻ° āĻāĻŋāĻ¤āĻ°ā§ āĻāĻāĻŋ āĻ¯ā§āĻ āĻāĻ°āĻžāĻ° āĻ¸āĻžāĻĨā§ āĻā§āĻ¨ āĻā§āĻ˛ āĻ¨ā§āĻāĨ¤
āĻāĻŦāĻ āĻļā§āĻˇ āĻāĻŋāĻ¨āĻŋāĻ¸ āĻ°āĻŋāĻ¸ā§āĻāĻžāĻ°ā§āĻ āĻšāĻ¯āĻŧ. āĻšā§āĻ¯āĻžāĻ, āĻĒāĻ°āĻŋāĻŦāĻ°ā§āĻ¤āĻ¨āĻā§āĻ˛āĻŋ āĻĒā§āĻ°āĻ¯āĻŧā§āĻ āĻāĻ°āĻ¤ā§, āĻāĻĒāĻ¨āĻžāĻā§ āĻāĻāĻŋ āĻĒā§āĻ¨āĻ°āĻžāĻ¯āĻŧ āĻāĻžāĻ˛ā§ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§āĨ¤
āĻāĻŽāĻžāĻĻā§āĻ° āĻŽāĻžāĻā§ inputs.conf āĻāĻŽāĻ°āĻž āĻ˛āĻāĻā§āĻ˛āĻŋ āĻ¯ā§āĻ āĻāĻ°āĻŋ āĻ¯āĻž āĻāĻŽāĻ°āĻž āĻ¸ā§āĻĒā§āĻ˛āĻā§āĻā§ āĻĒāĻžāĻ āĻžāĻ¤ā§ āĻāĻžāĻāĨ¤ āĻāĻĻāĻžāĻšāĻ°āĻŖāĻ¸ā§āĻŦāĻ°ā§āĻĒ, āĻāĻĒāĻ¨āĻŋ āĻĒā§āĻ¤ā§āĻ˛ā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ āĻŦāĻŋāĻ¤āĻ°āĻŖ āĻāĻ°āĻ˛ā§ āĻāĻŦāĻŋāĻ¤ā§ āĻāĻ āĻĢāĻžāĻāĻ˛āĻāĻŋ āĻ¯ā§āĻā§āĻ¤ āĻāĻ°āĻžāĻ° āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ āĻ¨ā§āĻāĨ¤ āĻāĻāĻŽāĻžāĻ¤ā§āĻ° āĻāĻŋāĻ¨āĻŋāĻ¸ āĻĢāĻ°ā§āĻ¯āĻŧāĻžāĻ°ā§āĻĄāĻžāĻ° āĻ¯āĻāĻ¨ āĻĄā§āĻŽāĻ¨ āĻļā§āĻ°ā§ āĻšāĻ¯āĻŧ āĻ¤āĻāĻ¨ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°āĻā§āĻ˛āĻŋ āĻĻā§āĻāĻ¤ā§ āĻĒāĻžāĻ¯āĻŧ, āĻ āĻ¨ā§āĻ¯āĻĨāĻžāĻ¯āĻŧ āĻāĻāĻŋāĻ° āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ āĻšāĻŦā§ ./splunk āĻĒā§āĻ¨āĻ°āĻžāĻ¯āĻŧ āĻāĻžāĻ˛ā§ āĻāĻ°ā§āĻ¨.
āĻ¤āĻžāĻ°āĻž āĻāĻŋ āĻ§āĻ°āĻ¨ā§āĻ° āĻĄāĻāĻžāĻ° āĻĒāĻ°āĻŋāĻ¸āĻāĻā§āĻ¯āĻžāĻ¨ āĻ¸ā§āĻā§āĻ°āĻŋāĻĒā§āĻ? āĻĨā§āĻā§ Github āĻāĻĒāĻ° āĻāĻāĻāĻŋ āĻĒā§āĻ°āĻžāĻ¨ā§ āĻ¸āĻŽāĻžāĻ§āĻžāĻ¨ āĻāĻā§
āĻĒā§āĻ°āĻžāĻĒā§āĻ¤ āĻĄā§āĻāĻž āĻĻāĻŋāĻ¯āĻŧā§, āĻāĻĒāĻ¨āĻŋ āĻ¨āĻŋāĻŽā§āĻ¨āĻ˛āĻŋāĻāĻŋāĻ¤āĻā§āĻ˛āĻŋ āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§āĻ¨
āĻĄā§āĻ¯āĻžāĻļāĻŦā§āĻ°ā§āĻĄ: (āĻāĻ¯āĻŧā§āĻāĻāĻŋ āĻāĻŦāĻŋ)
āĻĄā§āĻ¯āĻžāĻļā§āĻ° āĻ¸ā§āĻ°ā§āĻ¸ āĻā§āĻĄāĻāĻŋ āĻ¨āĻŋāĻŦāĻ¨ā§āĻ§ā§āĻ° āĻļā§āĻˇā§ āĻĻā§āĻāĻ¯āĻŧāĻž āĻ˛āĻŋāĻā§āĻā§ āĻ°āĻ¯āĻŧā§āĻā§āĨ¤ āĻ
āĻ¨ā§āĻā§āĻ°āĻš āĻāĻ°ā§ āĻŽāĻ¨ā§ āĻ°āĻžāĻāĻŦā§āĻ¨ āĻ¯ā§ 2āĻāĻŋ āĻ¨āĻŋāĻ°ā§āĻŦāĻžāĻāĻŋāĻ¤ āĻā§āĻˇā§āĻ¤ā§āĻ° āĻ°āĻ¯āĻŧā§āĻā§: 1 - āĻ¸ā§āĻāĻ āĻ¨āĻŋāĻ°ā§āĻŦāĻžāĻāĻ¨ (āĻŽāĻžāĻ¸ā§āĻ āĻĻā§āĻŦāĻžāĻ°āĻž āĻ
āĻ¨ā§āĻ¸āĻ¨ā§āĻ§āĻžāĻ¨ āĻāĻ°āĻž āĻšāĻ¯āĻŧā§āĻā§), āĻšā§āĻ¸ā§āĻ/āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻ¨āĻŋāĻ°ā§āĻŦāĻžāĻāĻ¨āĨ¤ āĻāĻĒāĻ¨āĻŋ āĻ¯ā§ āĻ¨āĻžāĻŽāĻā§āĻ˛āĻŋ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§āĻ¨ āĻ¤āĻžāĻ° āĻāĻĒāĻ° āĻ¨āĻŋāĻ°ā§āĻāĻ° āĻāĻ°ā§ āĻāĻĒāĻ¨āĻžāĻā§ āĻ¸āĻŽā§āĻāĻŦāĻ¤ āĻāĻ¨āĻĄā§āĻā§āĻ¸ āĻŽāĻžāĻ¸ā§āĻ āĻāĻĒāĻĄā§āĻ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§āĨ¤
āĻāĻĒāĻ¸āĻāĻšāĻžāĻ°ā§, āĻāĻŽāĻŋ āĻĢāĻžāĻāĻļāĻ¨ā§āĻ° āĻĒā§āĻ°āĻ¤āĻŋ āĻāĻĒāĻ¨āĻžāĻ° āĻĻā§āĻˇā§āĻāĻŋ āĻāĻāĻ°ā§āĻˇāĻŖ āĻāĻ°āĻ¤ā§ āĻāĻžāĻ āĻļā§āĻ°ā§() в
entrypoint.sh
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}
āĻāĻŽāĻžāĻ° āĻā§āĻˇā§āĻ¤ā§āĻ°ā§, āĻĒā§āĻ°āĻ¤āĻŋāĻāĻŋ āĻĒāĻ°āĻŋāĻŦā§āĻļ āĻāĻŦāĻ āĻĒā§āĻ°āĻ¤āĻŋāĻāĻŋ āĻĒā§āĻĨāĻ āĻ¸āĻ¤ā§āĻ¤āĻžāĻ° āĻāĻ¨ā§āĻ¯, āĻāĻāĻŋ āĻāĻāĻāĻŋ āĻ§āĻžāĻ°āĻ āĻŦāĻž āĻāĻāĻāĻŋ āĻšā§āĻ¸ā§āĻ āĻŽā§āĻļāĻŋāĻ¨ā§ āĻāĻāĻāĻŋ āĻ ā§āĻ¯āĻžāĻĒā§āĻ˛āĻŋāĻā§āĻļāĻ¨ āĻšā§āĻ, āĻāĻŽāĻ°āĻž āĻāĻāĻāĻŋ āĻĒā§āĻĨāĻ āĻ¸ā§āĻāĻ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻŋāĨ¤ āĻāĻāĻāĻžāĻŦā§, āĻ¤āĻĨā§āĻ¯ā§āĻ° āĻāĻ˛ā§āĻ˛ā§āĻāĻ¯ā§āĻā§āĻ¯ āĻ¸āĻā§āĻāĻ¯āĻŧ āĻšāĻ˛ā§ āĻ āĻ¨ā§āĻ¸āĻ¨ā§āĻ§āĻžāĻ¨ā§āĻ° āĻāĻ¤āĻŋ āĻā§āĻˇāĻ¤āĻŋāĻā§āĻ°āĻ¸ā§āĻ¤ āĻšāĻŦā§ āĻ¨āĻžāĨ¤ āĻ¸ā§āĻā§āĻā§āĻ˛āĻŋāĻ° āĻ¨āĻžāĻŽ āĻĻā§āĻāĻ¯āĻŧāĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻāĻāĻŋ āĻ¸āĻžāĻ§āĻžāĻ°āĻŖ āĻ¨āĻŋāĻ¯āĻŧāĻŽ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻž āĻšāĻ¯āĻŧ: _. āĻ āĻ¤āĻāĻŦ, āĻ§āĻžāĻ°āĻāĻāĻŋ āĻ¸āĻ°ā§āĻŦāĻāĻ¨ā§āĻ¨ āĻšāĻāĻ¯āĻŧāĻžāĻ° āĻāĻ¨ā§āĻ¯, āĻĄā§āĻŽāĻ¨ āĻ¨āĻŋāĻā§āĻ āĻāĻžāĻ˛ā§ āĻāĻ°āĻžāĻ° āĻāĻā§, āĻāĻŽāĻ°āĻž āĻĒā§āĻ°āĻ¤āĻŋāĻ¸ā§āĻĨāĻžāĻĒāĻ¨ āĻāĻ°āĻŋ āĻāĻŋāĻ¨ā§āĻ¤ā§-āĻŽ āĻāĻ¯āĻŧāĻžāĻāĻ˛ā§āĻĄāĻāĻžāĻ°ā§āĻĄ āĻĒāĻ°āĻŋāĻŦā§āĻļā§āĻ° āĻ¨āĻžāĻŽā§āĨ¤ āĻāĻ¨āĻāĻžāĻ¯āĻŧāĻ°āĻ¨āĻŽā§āĻ¨ā§āĻ āĻ¨āĻžāĻŽ āĻā§āĻ°āĻŋāĻ¯āĻŧā§āĻŦāĻ˛ āĻāĻ¨āĻāĻžāĻ¯āĻŧāĻ°āĻ¨āĻŽā§āĻ¨ā§āĻ āĻā§āĻ°āĻŋāĻ¯āĻŧā§āĻŦāĻ˛ā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ āĻĒāĻžāĻ¸ āĻāĻ°āĻž āĻšāĻ¯āĻŧāĨ¤ āĻ¸ā§āĻ¨āĻ¤ā§ āĻŽāĻāĻžāĻ° āĻ˛āĻžāĻāĻā§.
āĻāĻāĻŋāĻ āĻ˛āĻā§āĻˇāĻŖā§āĻ¯āĻŧ āĻ¯ā§ āĻāĻŋāĻā§ āĻāĻžāĻ°āĻŖā§ āĻ¸ā§āĻĒā§āĻ˛āĻā§āĻ āĻĄāĻāĻžāĻ° āĻĒā§āĻ¯āĻžāĻ°āĻžāĻŽāĻŋāĻāĻžāĻ°ā§āĻ° āĻāĻĒāĻ¸ā§āĻĨāĻŋāĻ¤āĻŋ āĻĻā§āĻŦāĻžāĻ°āĻž āĻĒā§āĻ°āĻāĻžāĻŦāĻŋāĻ¤ āĻšāĻ¯āĻŧ āĻ¨āĻž āĻšā§āĻ¸ā§āĻ-āĻ¨ā§āĻŽ. āĻ¤āĻŋāĻ¨āĻŋ āĻāĻāĻ¨āĻ āĻšāĻ āĻāĻžāĻ°ā§āĻāĻžāĻŦā§ āĻšā§āĻ¸ā§āĻ āĻā§āĻˇā§āĻ¤ā§āĻ°ā§ āĻ¤āĻžāĻ° āĻāĻ¨ā§āĻā§āĻāĻ¨āĻžāĻ° āĻāĻāĻĄāĻŋ āĻ¸āĻš āĻ˛āĻ āĻĒāĻžāĻ āĻžāĻŦā§āĻ¨āĨ¤ āĻāĻāĻāĻŋ āĻ¸āĻŽāĻžāĻ§āĻžāĻ¨ āĻšāĻŋāĻ¸āĻžāĻŦā§, āĻāĻĒāĻ¨āĻŋ āĻŽāĻžāĻāĻ¨ā§āĻ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§āĻ¨ āĻāĻ¨ā§āĻ¯ / etc / āĻšā§āĻ¸ā§āĻāĻ¨āĻžāĻŽ āĻšā§āĻ¸ā§āĻ āĻŽā§āĻļāĻŋāĻ¨ āĻĨā§āĻā§ āĻāĻŦāĻ āĻ¸ā§āĻāĻžāĻ°ā§āĻāĻāĻĒā§ āĻāĻ¨āĻĄā§āĻā§āĻ¸ āĻ¨āĻžāĻŽā§āĻ° āĻ āĻ¨ā§āĻ°ā§āĻĒ āĻĒā§āĻ°āĻ¤āĻŋāĻ¸ā§āĻĨāĻžāĻĒāĻ¨ āĻāĻ°ā§āĻ¨āĨ¤
āĻāĻĻāĻžāĻšāĻ°āĻŖ docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:ro
āĻĢāĻ˛āĻžāĻĢāĻ˛
āĻšā§āĻ¯āĻžāĻ, āĻ¸āĻŽā§āĻāĻŦāĻ¤ āĻ¸āĻŽāĻžāĻ§āĻžāĻ¨āĻāĻŋ āĻāĻĻāĻ°ā§āĻļ āĻ¨āĻ¯āĻŧ āĻāĻŦāĻ āĻ āĻŦāĻļā§āĻ¯āĻ āĻ¸āĻŦāĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻ¸āĻ°ā§āĻŦāĻāĻ¨ā§āĻ¨ āĻ¨āĻ¯āĻŧ, āĻ¯ā§āĻšā§āĻ¤ā§ āĻ āĻ¨ā§āĻāĻā§āĻ˛āĻŋ āĻ°āĻ¯āĻŧā§āĻā§ "āĻšāĻžāĻ°ā§āĻĄāĻā§āĻĄ". āĻ¤āĻŦā§ āĻāĻāĻŋāĻ° āĻāĻĒāĻ° āĻāĻŋāĻ¤ā§āĻ¤āĻŋ āĻāĻ°ā§, āĻĒā§āĻ°āĻ¤ā§āĻ¯ā§āĻā§ āĻ¤āĻžāĻĻā§āĻ° āĻ¨āĻŋāĻāĻ¸ā§āĻŦ āĻāĻŋāĻ¤ā§āĻ° āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§ āĻāĻŦāĻ āĻāĻāĻŋāĻā§ āĻ¤āĻžāĻĻā§āĻ° āĻŦā§āĻ¯āĻā§āĻ¤āĻŋāĻāĻ¤ āĻļāĻŋāĻ˛ā§āĻĒ āĻāĻžāĻ°āĻāĻžāĻ¨āĻžāĻ¯āĻŧ āĻ°āĻžāĻāĻ¤ā§ āĻĒāĻžāĻ°ā§, āĻ¯āĻĻāĻŋ āĻāĻāĻŋ āĻāĻā§, āĻāĻĒāĻ¨āĻžāĻ° āĻĄāĻāĻžāĻ°ā§ āĻ¸ā§āĻĒā§āĻ˛āĻā§āĻ āĻĢāĻ°āĻāĻ¯āĻŧāĻžāĻ°ā§āĻĄāĻžāĻ° āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨āĨ¤
āĻ°ā§āĻĢāĻžāĻ°ā§āĻ¨ā§āĻ¸:
āĻāĻ¤ā§āĻ¸: www.habr.com