🥇Splunk Universal Forwarder in Docker as a system log collector

Splunk est unus e pluribus notissimis collectionis commercii et analysi productorum. Etiam nunc, cum venditiones in Russia factae non sunt, haec ratio non est mandatum/quam-ad hoc opus scribere.

negotium: systema collecta e nodorum nodorum in Splunk sine mutatione apparatus exercitus configuratione

Vellem accedere cum officiali incipere, quod paulum mirum est cum usus Docker.
Link to Docker centrum
Quid habemus;

1. imago Pullim

$ docker pull splunk/universalforwarder:latest

2. Satus continens necessaria parametri

$ docker run -d  -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest

3. imus in vas

docker exec -it <container-id> /bin/bash

Deinde rogamur ut notam electronicam in documentis petamus.

Et configurare continens postquam incipit;


./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart

Manere. Quid est?

Sed elit non est finis. Si vas ex imagine officialis in modo interactive curras, sequentia videbis:

Aliquantulus destitutionis


$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest

PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019  13:40:38 +0000 (0:00:00.096)       0:00:00.096 *********

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019  13:40:39 +0000 (0:00:01.520)       0:00:01.616 *********

TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.599)       0:00:02.215 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.054)       0:00:02.270 *********

TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.075)       0:00:02.346 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.067)       0:00:02.413 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.060)       0:00:02.473 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.051)       0:00:02.525 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.056)       0:00:02.582 *********
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.216)       0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.087)       0:00:02.886 *********

TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.324)       0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.094)       0:00:03.305 *********

ну и так далее...

Magna. Imago ne artificium quidem continet. Hoc est, quotienscumque incipis, tempus erit ut archivum cum binariis, unpack et configurare capias.
Quid de phiala et omnia?

Non grates. Aliam viam feremus. Quid si haec omnia in comitio peragamus? Abeamus ergo!

Ut ne diutius moreris, ultimam statim imaginem tibi ostendam:

Dockerfile

# Тут у кого какие предпочтения
FROM centos:7

# Задаём переменные, чтобы каждый раз при старте не указывать их
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license

# Ставим пакеты
# wget - чтобы скачать артефакты
# expect - понадобится для первоначального запуска Splunk на этапе сборки
# jq - используется в скриптах, которые собирают статистику докера
RUN yum install -y epel-release 
    && yum install -y wget expect jq

# Качаем, распаковываем, удаляем
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true' 
    && wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz' 
    && tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 
    && tar -xvf docker-18.09.3.tgz  
    && rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 
    && rm -f docker-18.09.3.tgz

# С shell скриптами всё понятно, а вот inputs.conf, splunkclouduf.spl и first_start.sh нуждаются в пояснении. Об этом расскажу после source тэга.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/

#  Даём права на исполнение, добавляем пользователя и выполняем первоначальную настройку
RUN chmod +x /splunkforwarder/bin/scripts/*.sh 
    && groupadd -r splunk 
    && useradd -r -m -g splunk splunk 
    && echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers 
    && chown -R splunk:splunk $SPLUNK_HOME 
    && /splunkforwarder/bin/first_start.sh 
    && /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme 
    && /splunkforwarder/bin/splunk restart

# Копируем инит скрипты
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]

# По желанию. Кому нужно локально иметь конфиги/логи, кому нет.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]

HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1

ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]

Ita quod continetur in

first_start.sh

#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eof

In initio primo, Splunk rogat te ut ei aperias tesseram, sed haec notitia adhibetur tantum ad facienda mandata administrativa ad institutionem illam particularem, id est, intra continens. In casu nostro, solum vas mittere volumus ut omnia opera et tigna fluant sicut flumen. Nimirum hoc durum est, sed alias vias non inveni.

Praeterea, secundum scriptum fit

/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme

splunkclouduf.spl - Haec documentorum fasciculus Splunk Universalis Forwarder, quae e interfaciei interreti ratione deponi potest.

Ubi ut click to download (in imaginibus)

Archivum regulare est quod indissolubile esse potest. Intus sunt testimoniales et tesseram connectens nostris SplunkCloud et outputs.conf cum indice instantiarum inputationum nostrarum. Hic fasciculus talis erit donec institutionem tuam Splunk restituas vel nodi initus adde si institutionem in-praemissam est. Nihil ergo mali est quod intus in continente addens.

Novissimumque illud sileo. Ita ut mutationes adhibeas, necesse est ut sileo eam.

In nobis inputs.conf tigna quae mittere volumus ad Splunk addimus. Hoc fasciculum imagini adicere non est si, exempli gratia, configs per puppeam distribuis. Sola res est quod Foras ficas videt cum incipit daemon, alias opus erit ./splunk sileo.

Quales docker civitas scripta sunt? Est vetus solutio Github e outcoldmanscripta inde desumpta sunt et mutata in versionibus Docker (ce-17.*) et Splunk (7.*).

Cum data adeptus, haec aedificare potes

dashboards (a duobus imaginibus)

Fons code pro striis est in nexu provisum in fine articuli. Nota quaeso quod campi selecti sunt 2: 1 - index selectio (per persona quaesita), ornatus / vas lectionis. Verisimile erit tibi personam indices renovare, prout in nominibus uteris.

Demum velim animum ad munus reducere satus () в

entrypoint.sh *

start() {
    trap teardown EXIT
	if [ -z $SPLUNK_INDEX ]; then
	echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
	exit 1
	else
	sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
	fi
	sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
    sh -c "echo 'starting' > /tmp/splunk-container.state"
	${SPLUNK_HOME}/bin/splunk start
    watch_for_failure
}

In casu, ad singulas ambitus et singulas res, sit applicatio in vase vel in machina hospite, indice separato utimur. Hoc modo celeritas inquisitionis non patietur cum notabilis est cumulus notitiarum. Simplex regula ad indices nominandos adhibetur: _. Ut ergo universale sit continens, antequam ipsum daemonem deducamus, substituimus but-th wildcard ad nomen ambitus. Ambitus nomen variabile per varias ambitus mutatur. Integer mauris.

Etiam notatu dignum est quod aliqua de causa Splunk praesentiam parametri sculpsit non affici hostname. Adhuc procaciter mittet ligna cum id vase suo in agro militiae. Ad solutionem potes conscendere / Etc / hostname e machinis ornatus et in satus supplementum facere similes indices nominum.

Exemplum docker-compose.yml

version: '2'
services:
  splunk-forwarder:
    image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
    environment:
      SPLUNK_INDEX: ${ENVIRONMENT}
    volumes:
    - /etc/hostname:/etc/hostname:ro
    - /var/log:/var/log
    - /var/run/docker.sock:/var/run/docker.sock:ro

exitum

Ita fortasse solutio non est idealis et certe non universalis pro omnibus, cum multa sint "Hardcode". Sed in ea fundata, quisque suam imaginem aedificare potest et eam in suo artificio privato collocare, si, ut fit, in Docker Splunk Forwarder eges.

references:

Solutio in articulo
Solutio ab outcoldman qui nos inspiravit ad reuse alicuius functionis
Idumaeas. Documenta erigendi universalis Forwarder

Source: www.habr.com

Splunk universalis Forwarder in docker sicut ratio iniuriarum collector

Add a comment Отменить ответ