ʻO Splunk kekahi o nā huahana hōʻiliʻili lāʻau kālepa i ʻike ʻia. ʻOiai i kēia manawa, ke kūʻai ʻole ʻia ke kūʻai ʻana ma Rūsia, ʻaʻole kēia ke kumu e kākau ʻole ai i nā ʻōlelo aʻoaʻo / pehea e hana ai no kēia huahana.
Nń Pahuhopu: e hōʻiliʻili i nā ʻōnaehana mai nā nodes docker ma Splunk me ka ʻole o ka hoʻololi ʻana i ka hoʻonohonoho hoʻonohonoho mīkini hoʻokipa
Makemake wau e hoʻomaka me ke ala kūhelu, kahi mea ʻē aʻe i ka hoʻohana ʻana iā Docker.
He aha kā mākou:
1. Kiʻi Pullim
$ docker pull splunk/universalforwarder:latest2. E hoʻomaka i ka pahu me nā palena kūpono
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest3. Hele mākou i loko o ka pahu
docker exec -it <container-id> /bin/bashA laila, noi ʻia mākou e hele i kahi helu i ʻike ʻia ma ka palapala.
A hoʻonohonoho i ka ipu ma hope o ka hoʻomaka ʻana:
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
E kali. He aha?
Akā, ʻaʻole i pau nā mea kupanaha. Inā holo ʻoe i ka ipu mai ke kiʻi kūhelu ma ke ʻano pāʻani, e ʻike ʻoe i kēia:
He wahi hoka
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
ну и так далее...
Nui. ʻAʻole loaʻa kahi kiʻi kiʻi. ʻO ia hoʻi, i kēlā me kēia manawa āu e hoʻomaka ai e lawe i ka manawa e hoʻoiho i ka waihona me nā binaries, wehe a hoʻonohonoho.
Pehea e pili ana i docker-way a me nā mea a pau?
ʻAʻole mahalo. E hele mākou i kahi ala ʻē aʻe. He aha inā mākou e hana i kēia mau hana a pau ma ke kahua hui? A laila e hele kāua!
I ʻole e kali lōʻihi, e hōʻike koke wau iā ʻoe i ke kiʻi hope loa:
dockerfile
# Тут у кого какие предпочтения
FROM centos:7
# Задаём переменные, чтобы каждый раз при старте не указывать их
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# Ставим пакеты
# wget - чтобы скачать артефакты
# expect - понадобится для первоначального запуска Splunk на этапе сборки
# jq - используется в скриптах, которые собирают статистику докера
RUN yum install -y epel-release
&& yum install -y wget expect jq
# Качаем, распаковываем, удаляем
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# С shell скриптами всё понятно, а вот inputs.conf, splunkclouduf.spl и first_start.sh нуждаются в пояснении. Об этом расскажу после source тэга.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# Даём права на исполнение, добавляем пользователя и выполняем первоначальную настройку
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# Копируем инит скрипты
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# По желанию. Кому нужно локально иметь конфиги/логи, кому нет.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]No laila ka mea i loko
first_start.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eofI ka hoʻomaka mua, noi ʻo Splunk iā ʻoe e hāʻawi iā ia i kahi login / password, AKA hoʻohana ʻia kēia ʻikepili wale e hoʻokō i nā kauoha hoʻokele no kēlā hoʻonohonoho ponoʻī, ʻo ia hoʻi, i loko o ka pahu. I ko mākou hihia, makemake wale mākou e hoʻokuʻu i ka ipu i mea e hana ai nā mea a pau a kahe nā lāʻau e like me ka muliwai. ʻOiaʻiʻo, he hardcode kēia, akā ʻaʻole wau i ʻike i nā ala ʻē aʻe.
E like me ka palapala i hana ʻia
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changemesplunkclouduf.spl - He faila hōʻoia kēia no Splunk Universal Forwarder, hiki ke hoʻoiho ʻia mai ka pūnaewele pūnaewele.
Ma hea e kaomi ai e hoʻoiho (ma nā kiʻi)
He waihona maʻamau kēia i hiki ke wehe ʻia. Aia i loko nā palapala hōʻoia a me kahi ʻōlelo huna no ka hoʻopili ʻana i kā mākou SplunkCloud a outputs.conf me ka papa inoa o kā mākou mau mea hoʻokomo. E pili ana kēia faila a hiki i kou kau hou ʻana i kāu hoʻonohonoho Splunk a i ʻole e hoʻohui i kahi node hoʻokomo inā aia ka hoʻokomo ʻana ma ka hale. No laila, ʻaʻohe hewa o ka hoʻohui ʻana i loko o ka pahu.
A ʻo ka mea hope e hoʻomaka hou. ʻAe, no ka hoʻopili ʻana i nā loli, pono ʻoe e hoʻomaka hou.
I loko o kā mākou komo.conf hoʻohui mākou i nā lāʻau a mākou e makemake ai e hoʻouna iā Splunk. ʻAʻole pono e hoʻohui i kēia faila i ke kiʻi inā, no ka laʻana, e puʻunaue ʻoe i nā configs ma o ka papeti. ʻO ka mea wale nō ke ʻike ʻo Forwarder i nā configs i ka wā e hoʻomaka ai ka daemon, inā ʻaʻole pono ia ./splunk restart.
He aha ke ʻano o nā palapala stats docker? Aia kahi hopena kahiko ma Github mai , ua lawe ʻia nā palapala mai laila mai a hoʻololi ʻia e hana me nā mana o kēia manawa o Docker (ce-17.*) a me Splunk (7.*).
Me ka ʻikepili i loaʻa, hiki iā ʻoe ke kūkulu i kēia
dashboards: (ʻelua mau kiʻi)
Aia ke kumu kumu no nā kaha kaha ma ka loulou i hāʻawi ʻia ma ka hope o ka ʻatikala. E ʻoluʻolu e hoʻomaopopo ʻia he 2 mau kahua koho: 1 - koho index (huli ʻia e ka mask), koho host/container. Pono paha ʻoe e hōʻano hou i ka mask index, ma muli o nā inoa āu e hoʻohana ai.
I ka hopena, makemake wau e huki i kou manaʻo i ka hana hoʻomaka () в
wahi komo.sh
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}I koʻu hihia, no kēlā me kēia kaiapuni a me kēlā me kēia hui pilikino, inā he noi i loko o kahi pahu a i ʻole ka mīkini hoʻokipa, hoʻohana mākou i kahi kuhikuhi ʻokoʻa. ʻO kēia ala, ʻaʻole e pōʻino ka wikiwiki o ka ʻimi inā loaʻa ka hōʻiliʻili nui o ka ʻikepili. Hoʻohana ʻia kahi lula maʻalahi no ka inoa ʻana i nā index: _. No laila, i mea e lilo ai ka ipu i ke ao holoʻokoʻa, ma mua o ka hoʻomaka ʻana i ka daemon ponoʻī, hoʻololi mākou 'ō-th wildcard i ka inoa o ke kaiapuni. Hoʻololi ʻia ka inoa inoa kaiapuni ma o nā ʻano hoʻololi kaiapuni. He ʻakaʻaka.
He mea kūpono hoʻi e ʻike no kekahi kumu ʻaʻole i hoʻopilikia ʻia ʻo Splunk e ke alo o ka palena docker inoa inoa. E hoʻouna paʻakikī ʻo ia i nā lāʻau me ka id o kāna ipu ma ke kahua hoʻokipa. Ma ke ʻano he hopena, hiki iā ʻoe ke kau / etc / inoa inoa mai ka mīkini hoʻokipa a ma ka hoʻomaka ʻana e hana i nā pani e like me nā inoa kuhikuhi.
Laʻana docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:roʻO ka hopena
ʻAe, ʻaʻole maikaʻi paha ka hopena a ʻaʻole maoli no nā mea āpau, no ka mea he nui "palapala paʻakikī". Akā ma muli o ia mea, hiki i nā mea a pau ke kūkulu i kā lākou kiʻi ponoʻī a waiho i loko o kā lākou mea hana pilikino, inā, e like me ia, pono ʻoe iā Splunk Forwarder ma Docker.
Nā Manaʻo:
Source: www.habr.com