Splunk est unus e pluribus notissimis collectionis commercii et analysi productorum. Etiam nunc, cum venditiones in Russia factae non sunt, haec ratio non est mandatum/quam-ad hoc opus scribere.
negotium: systema collecta e nodorum nodorum in Splunk sine mutatione apparatus exercitus configuratione
Vellem accedere cum officiali incipere, quod paulum mirum est cum usus Docker.
Quid habemus;
1. imago Pullim
$ docker pull splunk/universalforwarder:latest2. Satus continens necessaria parametri
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest3. imus in vas
docker exec -it <container-id> /bin/bashDeinde rogamur ut notam electronicam in documentis petamus.
Et configurare continens postquam incipit;
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
Manere. Quid est?
Sed elit non est finis. Si vas ex imagine officialis in modo interactive curras, sequentia videbis:
Aliquantulus destitutionis
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
ну и так далее...
Magna. Imago ne artificium quidem continet. Hoc est, quotienscumque incipis, tempus erit ut archivum cum binariis, unpack et configurare capias.
Quid de phiala et omnia?
Non grates. Aliam viam feremus. Quid si haec omnia in comitio peragamus? Abeamus ergo!
Ut ne diutius moreris, ultimam statim imaginem tibi ostendam:
Dockerfile
# Тут у кого какие предпочтения
FROM centos:7
# Задаём переменные, чтобы каждый раз при старте не указывать их
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# Ставим пакеты
# wget - чтобы скачать артефакты
# expect - понадобится для первоначального запуска Splunk на этапе сборки
# jq - используется в скриптах, которые собирают статистику докера
RUN yum install -y epel-release
&& yum install -y wget expect jq
# Качаем, распаковываем, удаляем
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# С shell скриптами всё понятно, а вот inputs.conf, splunkclouduf.spl и first_start.sh нуждаются в пояснении. Об этом расскажу после source тэга.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# Даём права на исполнение, добавляем пользователя и выполняем первоначальную настройку
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# Копируем инит скрипты
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# По желанию. Кому нужно локально иметь конфиги/логи, кому нет.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]Ita quod continetur in
first_start.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eofIn initio primo, Splunk rogat te ut ei aperias tesseram, sed haec notitia adhibetur tantum ad facienda mandata administrativa ad institutionem illam particularem, id est, intra continens. In casu nostro, solum vas mittere volumus ut omnia opera et tigna fluant sicut flumen. Nimirum hoc durum est, sed alias vias non inveni.
Praeterea, secundum scriptum fit
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changemesplunkclouduf.spl - Haec documentorum fasciculus Splunk Universalis Forwarder, quae e interfaciei interreti ratione deponi potest.
Ubi ut click to download (in imaginibus)
Archivum regulare est quod indissolubile esse potest. Intus sunt testimoniales et tesseram connectens nostris SplunkCloud et outputs.conf cum indice instantiarum inputationum nostrarum. Hic fasciculus talis erit donec institutionem tuam Splunk restituas vel nodi initus adde si institutionem in-praemissam est. Nihil ergo mali est quod intus in continente addens.
Novissimumque illud sileo. Ita ut mutationes adhibeas, necesse est ut sileo eam.
In nobis inputs.conf tigna quae mittere volumus ad Splunk addimus. Hoc fasciculum imagini adicere non est si, exempli gratia, configs per puppeam distribuis. Sola res est quod Foras ficas videt cum incipit daemon, alias opus erit ./splunk sileo.
Quales docker civitas scripta sunt? Est vetus solutio Github e scripta inde desumpta sunt et mutata in versionibus Docker (ce-17.*) et Splunk (7.*).
Cum data adeptus, haec aedificare potes
dashboards (a duobus imaginibus)
Fons code pro striis est in nexu provisum in fine articuli. Nota quaeso quod campi selecti sunt 2: 1 - index selectio (per persona quaesita), ornatus / vas lectionis. Verisimile erit tibi personam indices renovare, prout in nominibus uteris.
Demum velim animum ad munus reducere satus () в
entrypoint.sh *
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}In casu, ad singulas ambitus et singulas res, sit applicatio in vase vel in machina hospite, indice separato utimur. Hoc modo celeritas inquisitionis non patietur cum notabilis est cumulus notitiarum. Simplex regula ad indices nominandos adhibetur: _. Ut ergo universale sit continens, antequam ipsum daemonem deducamus, substituimus but-th wildcard ad nomen ambitus. Ambitus nomen variabile per varias ambitus mutatur. Integer mauris.
Etiam notatu dignum est quod aliqua de causa Splunk praesentiam parametri sculpsit non affici hostname. Adhuc procaciter mittet ligna cum id vase suo in agro militiae. Ad solutionem potes conscendere / Etc / hostname e machinis ornatus et in satus supplementum facere similes indices nominum.
Exemplum docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:roexitum
Ita fortasse solutio non est idealis et certe non universalis pro omnibus, cum multa sint "Hardcode". Sed in ea fundata, quisque suam imaginem aedificare potest et eam in suo artificio privato collocare, si, ut fit, in Docker Splunk Forwarder eges.
references:
Source: www.habr.com
