Splunk ααΊααΆααα·ααααα½ααααα»αα
ααααααα·ααααα·ααΆα αα·ααααααΌααααααα ααα»ααΆαα·ααααααααααα’αΆα
ααα½αααααΆααααΆαα
αααΎααααα»αα ααΌααααΈααα₯α‘αΌαααα αα
ααααααααΆαααααα·αααααΌαααΆαααααΎα‘αΎααα
αααα»ααααααααα»αααααΈααααα ααααα·ααααααΆα ααα»ααααααα·αααααΌααααααααΆαααααΆα/αααααααααΆααααα·ααααααααα
αααααααα αααααΌααααααα ααα»ααααααααααΈααααΆαα docker αααα»α Splunk ααααα·αα
αΆαααΆα
αααααΆααααααΌαααΆαααααααααΆαααΈααα
αααα»αα
ααα
αΆααααααΎαααΆαα½αααΉααα·ααΈααΆαααααααααΌαααΆααααααΎααα
α
αααααααααα·α
αα
αααααααΎ Docker α
ααΎααΎαααΆαα’αααΈααααα
1. ααΌαααΆα Pullim
$ docker pull splunk/universalforwarder:latest
2. α αΆααααααΎααα»αααΆαα½αααΉααααΆαααΆααααααα αΆαααΆα α
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest
3. ααΎαα αΌααα αααα»ααα»α
docker exec -it <container-id> /bin/bash
αααααΆαα ααΎαβααααΌαβααΆαβααααΎβα±ααβαα βααΆααβα’αΆααααααΆαβαααβααβααααΆααβαααα»αβα―αααΆαα
α αΎαααααααα ααΆαααααααααα»ααααααΆααααΈααΆα αΆααααααΎαα
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
αααα αΆαα α’αααΈ?
ααα»ααααααΆαααααΆααααα’αΎααα·ααααα αααα ααΈαααααα ααααα·αααΎα’αααααααΎαααΆααα»αααΊαααααΈααΌαααΆαααααΌαααΆααααα»αααααα’αααααααα α’αααααΉαααΎαααΌα ααΆααααααα
ααΆαααα α·αααααααα·α
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
Π½Ρ ΠΈ ΡΠ°ΠΊ Π΄Π°Π»Π΅Π΅...
α’ααα
αΆαααα ααΌαααΆαααααα·αααΆαααΌααααΈααααααα»αα»ααΆααααααα αααααΊααΆααααααααα’αααα
αΆααααααΎα ααΆααΉαααααΌαααΆααααααααΆααΎααααΈααΆαααααααααΆααααααααΎαααααααααααααΈα αααααΆ αα·αααααααα
ααΆααααααααα
α
α»α docker-way αα·αα’αααΈααΆααα’ααααα?
α’ααα’αΈβααβα’ααα»αβα αΎαα ααΎαααΉαααΎαααΆαααααΌααααααα α α»αααΎααΎαααααΎααααα·ααααα·ααΆαααΆααα’ααααααα ααααΆααααΆααα½αααααα»αααααΆ? α’ααα αΉαααααα !
ααΎααααΈαα»αα±αααααααΆααααααΌα αααα»αααΉααααα αΆαααΌαα’αααααΌαααΌαααΆαα α»αααααααααααααΆααα
Dockerfile
# Π’ΡΡ Ρ ΠΊΠΎΠ³ΠΎ ΠΊΠ°ΠΊΠΈΠ΅ ΠΏΡΠ΅Π΄ΠΏΠΎΡΡΠ΅Π½ΠΈΡ
FROM centos:7
# ΠΠ°Π΄Π°ΡΠΌ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅, ΡΡΠΎΠ±Ρ ΠΊΠ°ΠΆΠ΄ΡΠΉ ΡΠ°Π· ΠΏΡΠΈ ΡΡΠ°ΡΡΠ΅ Π½Π΅ ΡΠΊΠ°Π·ΡΠ²Π°ΡΡ ΠΈΡ
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# Π‘ΡΠ°Π²ΠΈΠΌ ΠΏΠ°ΠΊΠ΅ΡΡ
# wget - ΡΡΠΎΠ±Ρ ΡΠΊΠ°ΡΠ°ΡΡ Π°ΡΡΠ΅ΡΠ°ΠΊΡΡ
# expect - ΠΏΠΎΠ½Π°Π΄ΠΎΠ±ΠΈΡΡΡ Π΄Π»Ρ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΠΎΠ³ΠΎ Π·Π°ΠΏΡΡΠΊΠ° Splunk Π½Π° ΡΡΠ°ΠΏΠ΅ ΡΠ±ΠΎΡΠΊΠΈ
# jq - ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π² ΡΠΊΡΠΈΠΏΡΠ°Ρ
, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΠΎΠ±ΠΈΡΠ°ΡΡ ΡΡΠ°ΡΠΈΡΡΠΈΠΊΡ Π΄ΠΎΠΊΠ΅ΡΠ°
RUN yum install -y epel-release
&& yum install -y wget expect jq
# ΠΠ°ΡΠ°Π΅ΠΌ, ΡΠ°ΡΠΏΠ°ΠΊΠΎΠ²ΡΠ²Π°Π΅ΠΌ, ΡΠ΄Π°Π»ΡΠ΅ΠΌ
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# Π‘ shell ΡΠΊΡΠΈΠΏΡΠ°ΠΌΠΈ Π²ΡΡ ΠΏΠΎΠ½ΡΡΠ½ΠΎ, Π° Π²ΠΎΡ inputs.conf, splunkclouduf.spl ΠΈ first_start.sh Π½ΡΠΆΠ΄Π°ΡΡΡΡ Π² ΠΏΠΎΡΡΠ½Π΅Π½ΠΈΠΈ. ΠΠ± ΡΡΠΎΠΌ ΡΠ°ΡΡΠΊΠ°ΠΆΡ ΠΏΠΎΡΠ»Π΅ source ΡΡΠ³Π°.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# ΠΠ°ΡΠΌ ΠΏΡΠ°Π²Π° Π½Π° ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅, Π΄ΠΎΠ±Π°Π²Π»ΡΠ΅ΠΌ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ ΠΈ Π²ΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΡΡ Π½Π°ΡΡΡΠΎΠΉΠΊΡ
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# ΠΠΎΠΏΠΈΡΡΠ΅ΠΌ ΠΈΠ½ΠΈΡ ΡΠΊΡΠΈΠΏΡΡ
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# ΠΠΎ ΠΆΠ΅Π»Π°Π½ΠΈΡ. ΠΠΎΠΌΡ Π½ΡΠΆΠ½ΠΎ Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎ ΠΈΠΌΠ΅ΡΡ ΠΊΠΎΠ½ΡΠΈΠ³ΠΈ/Π»ΠΎΠ³ΠΈ, ΠΊΠΎΠΌΡ Π½Π΅Ρ.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]
ααΌα ααααα’αααΈαααααΆααα αααα»α
first_start.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eof
αα αααα αΆααααααΎαααααΌα Splunk ααααΎα±ααα’ααααααααα±ααααΆααΌαααΆαα αΌα / ααΆααααααααΆαα ααα»αααααα·αααααααααααααΌαααΆαααααΎ αα ααΎααααΈααααα·ααααα·ααΆααααααααΆααααααΆααααααΆααααΆαααα‘αΎαααΆααααΆααααα αααααΊαα ααΆααααα»ααα»αααΊαααα αααα»αααααΈααααααΎα ααΎαααααΆααααα ααααΎααα»αααΊαααααΎααααΈα±ααα’αααΈαααααΎαααΆαααΆα α αΎααααααα ααα»α αΌαααΌα αααααα ααΆααΆααα·αααΆαα αααααΊααΆ hardcode ααα»αααααααα»ααα·αααΆαααααΎααα·ααΈααααααααααα
αααααααααααααα ααΆαααααααΈαααααΌαααΆαααααα·ααααα·
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
splunkclouduf.spl - αααααΊααΆα―αααΆααααααΆααα’ααααααααΆααααααΆαα Splunk Universal Forwarder αααα’αΆα ααΆαααααΆαααΈα ααα»α αααααΆααααα αααααα
αααααααααααααΌαα
α»α
ααΎααααΈααΆααα (αααα»αααΌαααΆα)
αααααΆααααααΆαααααααΆαααα’αΆα
ααααΆααααα
ααααΆαα αα
ααΆααααα»αααΆααα·ααααΆαααααα αα·αααΆααααααααΆαααααααΆααααααΆαααα
SplunkCloud ααααααΎα αα·α outputs.conf ααΆαα½αααΉααααααΈααααααΈαααα
αΌαααααααΎαα α―αααΆααααααΉαααΆααααααααα αΌααααα’αααααα‘αΎαααΆαααα‘αΎα Splunk ααααα’αααα‘αΎααα·α α¬ααααααααααΆαααααα
αΌα ααααα·αααΎααΆαααα‘αΎαααΊαα
ααΉαααααααα ααΌα
αααα ααΆαα·αααΆαα’αααΈαα»ααααααα»αααΆαααααααααΆαα
ααΆααααα»ααα»αα
α αΎαααΏαα α»ααααααααΊα αΆααααααΎαα‘αΎααα·αα ααΆα/α αΆα ααΎααααΈα’αα»ααααααΆαααααΆααααααΌα α’αααααααΌαα αΆααααααΎαααΆα‘αΎααα·αα
αα αααα»αααααααΎαα inputs.conf ααΎααααααααααααα ααα»αααααΎαα ααααααΎαα Splunk α ααΆαα·αα αΆαααΆα ααααα»αααΆαααααααα―αααΆαααααα αααα»αααΌαααΆααα ααααα·αααΎα§ααΆα ααα α’αααα ααα αΆαααΆααααααααΆααααα’αΆαααα ααΏααααα½ααααααΊααΆ Forwarder ααΎαααΎαααΆαααααααα αααααααααα·αα αΆααααααΎα ααΎαα·αααΌα ααααααααΆααΉαααααΌαααΆα ./splunk α αΆααααααΎαα‘αΎααα·α.
ααΎααααααΈααααα·αα· docker ααΆααααααα’αααΈ? ααΆααααααααααΆαα
αΆαααα
ααΎ Github ααΈ
ααΆαα½αααΉααα·αααααααααααα½αααΆα α’αααα’αΆα αααααΎαααΌα ααΆαααααα
ααααΆαααααααααααα (ααΌαααΆαααΈαααΈαααααΉα)
ααΌαααααααααααΆαααααααΆααΆα
α α ααΊαα
αααα»ααααααααΆαααααααΆαααααααα
α
α»ααααα
ααααα’αααααα ααΌαα
αααΆαααΆααΆα 2 ααααααααααΎαααΎαα 1 - ααΆαααααΎαααΎααα·αα·αααα (αααααααααααααΆαα) ααΆαααααΎαααΎααααΆαααΈα/αα»αααΊαααα α’αααααααααΆααΉαααααΌαααααΎαα
αα
α»ααααααααΆααααΆααααααααααα α’αΆαααααααΎααααααααα’αααααααΎα
ααα»αααα ααααΈαα αααα»αα ααααΆαα αααΆααα’αΆααααααααααα’αααα αααααα»αααΆα α αΆααααααΎα() Π²
entrypoint.sh
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}
αααα»αααααΈαααααααα»α αααααΆααααα·ααααΆαααΈαα½αα αα·αα’αααααΆαααΈαα½αα ααΆααΎααΆααΆαααααα·ααΈαα αααα»ααα»αααΊααα α¬αααΆαααΈααααΆαααΈα ααΎαααααΎαααααααααααΆα ααααα‘ααα αα·ααΈααα ααααΏααααααααααΉααα·ααααα»ααααα αα ααααααααΆαααΆααααααΌααααα»ααα·αααααααααΆαα αααΎαα α αααΆααααΆαααααα½αααααΌαααΆαααααΎααΎααααΈααΆααααααααα·αα·ααααα _. ααΌα ααααααΎααααΈα±αααα»αααΊαααααΆαααααααααΆααα αα»ααααα αΆααααααΎααααα·αααααααα½αα―α ααΎααααα½α sed-th ααΆα’αααααααα½ααααααΆαααααααααα·ααααΆαα α’ααααααααααα·ααααΆαααααΌαααΆαααααααΆααα’αααααα·ααααΆαα ααααΆαααα αα½αα±ααα’ααααααΎα α
ααΆαααα½αα±ααααααααααΆαααααααααΆαααααΆααα ααα»αααα½αα ααα½α Splunk αα·αααααΌαααΆααααααΆαααααααααααΆααααααΆαααΆαααααα docker ααααααααΆαααΈα. ααΆααααΉααα ααααΉαααΌαααααΎαααααα ααα»αααααΆαααααααααΆαααα»αααΊαααααααααΆαααα αααα»αααΆααααΆαααΈαα ααΆαααααααααΆαα’αααα’αΆα αααα / etc / hostname ααΈαααΆαααΈααα α αΎααα αααα αΆααααααΎαααααΎααΆααααα½αααααααααΉαααααααα·αα·ααααα
α§ααΆα ααα docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:ro
αααααα
ααΆα/α αΆα αααα ααααΆαααααααααΆααα·ααααααααα α αΎαααααΆααααΆαααα·ααααααΆααααααααΆααααα»ααααααααααααΆαα αααααααΆαα αααΎαα "ααΌαααΉα". ααα»ααααααα’ααααΎααΆ α’ααααααααααααΆα’αΆα αααααΎαααΌαααΆαααααΆαααααα½ααααααα½ααα α αΎαααΆααααΆαα αααα»αααααα»αα»ααΆαα―ααααααααα½ααα ααααα·αααΎααΌα αααααΆααΎαα‘αΎα α’αααααααΌαααΆα Splunk Forwarder αα αααα»α Docker α
α―αααΆαααα:
ααααα: www.habr.com