Splunk dia iray amin'ireo vokatra fanangonana sy famakafakana logs ara-barotra malaza indrindra. Na dia amin'izao fotoana izao aza, rehefa tsy vita any Rosia intsony ny varotra, dia tsy antony tsy hanoratana toromarika/fomba ho an'ity vokatra ity izany.
asa: manangona logs rafitra avy amin'ny docker nodes ao amin'ny Splunk nefa tsy manova ny rafitry ny milina mpampiantrano
Te-hanomboka amin'ny fomba ofisialy aho, izay somary hafahafa rehefa mampiasa Docker.
Inona no ananantsika:
1. Sary Pullim
$ docker pull splunk/universalforwarder:latest2. Atombohy ny fitoeran-javatra miaraka amin'ny masontsivana ilaina
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest3. Miditra ao anaty fitoeran-javatra izahay
docker exec -it <container-id> /bin/bashManaraka, asaina mankany amin'ny adiresy fantatra ao amin'ny antontan-taratasy.
Ary amboary ny container rehefa manomboka:
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
Andraso. Inona?
Tsy tapitra hatreo anefa ny fahagagana. Raha mitantana ny kaontenera avy amin'ny sary ofisialy amin'ny maodely interactive ianao dia ho hitanao izao manaraka izao:
Somary fahadisoam-panantenana
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
Π½Ρ ΠΈ ΡΠ°ΠΊ Π΄Π°Π»Π΅Π΅...
Mahafinaritra. Tsy misy artifact akory ilay sary. Izany hoe, isaky ny manomboka ianao dia mila fotoana ny misintona ny arsiva miaraka amin'ny binary, manala ary manamboatra.
Ahoana ny momba ny docker-way sy izay rehetra?
Tsia fa misaotra. Lalana hafa no handehanantsika. Ahoana raha manao ireo asa rehetra ireo amin'ny dingan'ny fivoriambe isika? Andeha ary!
Mba tsy hanemotra ela loatra dia hasehoko anao avy hatrany ny sary farany:
dockerfile
# Π’ΡΡ Ρ ΠΊΠΎΠ³ΠΎ ΠΊΠ°ΠΊΠΈΠ΅ ΠΏΡΠ΅Π΄ΠΏΠΎΡΡΠ΅Π½ΠΈΡ
FROM centos:7
# ΠΠ°Π΄Π°ΡΠΌ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅, ΡΡΠΎΠ±Ρ ΠΊΠ°ΠΆΠ΄ΡΠΉ ΡΠ°Π· ΠΏΡΠΈ ΡΡΠ°ΡΡΠ΅ Π½Π΅ ΡΠΊΠ°Π·ΡΠ²Π°ΡΡ ΠΈΡ
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# Π‘ΡΠ°Π²ΠΈΠΌ ΠΏΠ°ΠΊΠ΅ΡΡ
# wget - ΡΡΠΎΠ±Ρ ΡΠΊΠ°ΡΠ°ΡΡ Π°ΡΡΠ΅ΡΠ°ΠΊΡΡ
# expect - ΠΏΠΎΠ½Π°Π΄ΠΎΠ±ΠΈΡΡΡ Π΄Π»Ρ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΠΎΠ³ΠΎ Π·Π°ΠΏΡΡΠΊΠ° Splunk Π½Π° ΡΡΠ°ΠΏΠ΅ ΡΠ±ΠΎΡΠΊΠΈ
# jq - ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π² ΡΠΊΡΠΈΠΏΡΠ°Ρ
, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΠΎΠ±ΠΈΡΠ°ΡΡ ΡΡΠ°ΡΠΈΡΡΠΈΠΊΡ Π΄ΠΎΠΊΠ΅ΡΠ°
RUN yum install -y epel-release
&& yum install -y wget expect jq
# ΠΠ°ΡΠ°Π΅ΠΌ, ΡΠ°ΡΠΏΠ°ΠΊΠΎΠ²ΡΠ²Π°Π΅ΠΌ, ΡΠ΄Π°Π»ΡΠ΅ΠΌ
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# Π‘ shell ΡΠΊΡΠΈΠΏΡΠ°ΠΌΠΈ Π²ΡΡ ΠΏΠΎΠ½ΡΡΠ½ΠΎ, Π° Π²ΠΎΡ inputs.conf, splunkclouduf.spl ΠΈ first_start.sh Π½ΡΠΆΠ΄Π°ΡΡΡΡ Π² ΠΏΠΎΡΡΠ½Π΅Π½ΠΈΠΈ. ΠΠ± ΡΡΠΎΠΌ ΡΠ°ΡΡΠΊΠ°ΠΆΡ ΠΏΠΎΡΠ»Π΅ source ΡΡΠ³Π°.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# ΠΠ°ΡΠΌ ΠΏΡΠ°Π²Π° Π½Π° ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅, Π΄ΠΎΠ±Π°Π²Π»ΡΠ΅ΠΌ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ ΠΈ Π²ΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΡΡ Π½Π°ΡΡΡΠΎΠΉΠΊΡ
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# ΠΠΎΠΏΠΈΡΡΠ΅ΠΌ ΠΈΠ½ΠΈΡ ΡΠΊΡΠΈΠΏΡΡ
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# ΠΠΎ ΠΆΠ΅Π»Π°Π½ΠΈΡ. ΠΠΎΠΌΡ Π½ΡΠΆΠ½ΠΎ Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎ ΠΈΠΌΠ΅ΡΡ ΠΊΠΎΠ½ΡΠΈΠ³ΠΈ/Π»ΠΎΠ³ΠΈ, ΠΊΠΎΠΌΡ Π½Π΅Ρ.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]Ka inona no voarakitra ao
first_start.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eofAmin'ny fanombohana voalohany, Splunk dia mangataka anao hanome azy ny fidirana / tenimiafina, FA ity data ity dia ampiasaina ihany manatanteraka baiko administratif ho an'io fametrahana manokana io, izany hoe ao anaty fitoeran-javatra. Amin'ny tranga misy anay, te-hamoaka ny kaontenera fotsiny izahay mba hiasa ny zava-drehetra ary mikoriana toy ny renirano ny hazo. Mazava ho azy fa hardcode ity, saingy tsy nahita fomba hafa aho.
Manaraka araka ny script dia tanterahina
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changemesplunkclouduf.spl β Ity dia rakitra fahazoan-dΓ lana ho an'ny Splunk Universal Forwarder, izay azo alaina avy amin'ny interface interface.
Aiza no kitihina raha hisintona (eo amin'ny sary)
Ity dia arisiva mahazatra izay azo vahana. Ao anatiny dia misy taratasy fanamarinana sy tenimiafina ahafahana mifandray amin'ny SplunkCloud sy outputs.conf miaraka amin'ny lisitr'ireo ohatra fampidiranay. Ity rakitra ity dia ho manan-danja mandra-pametrahanao indray ny fametrahanao Splunk na ampio node fampidirana raha toa ka eo an-toerana ny fametrahana. Noho izany, tsy misy maharatsy ny mampiditra azy ao anaty fitoeran-javatra.
Ary ny zavatra farany dia restart. Eny, mba hampiharana ireo fanovana dia mila averinao izany.
Ao aminay inputs.conf ampianay ny logs izay tiantsika halefa any amin'ny Splunk. Tsy ilaina ny manampy ity rakitra ity amin'ny sary raha toa ka mizara configs amin'ny saribakoly ianao, ohatra. Ny hany zavatra dia ny Forwarder mahita ny configs rehefa manomboka ny daemon, raha tsy izany dia mila ./splunk restart.
Inona no karazana docker stats scripts? Misy vahaolana taloha ao amin'ny Github avy amin'ny , nalaina avy tao ny script ary novaina mba hiasa amin'ny Docker (ce-17.*) sy Splunk (7.*) ankehitriny.
Miaraka amin'ny angona azo dia azonao atao ny manangana ireto manaraka ireto
dashboards: (sary roa)
Ny kaody loharanon'ny dash dia ao amin'ny rohy omena any amin'ny faran'ny lahatsoratra. Marihina fa misy sehatra 2 voafantina: 1 - fifantenana index (fikarohana amin'ny saron-tava), fifantenana mpampiantrano / container. Mety mila manavao ny saron-tava fanondroana ianao, arakaraka ny anarana ampiasainao.
Ho famaranana, tiako ny hisarika ny sainao ho amin'ny asa manomboka () Π²
entrypoint.sh
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}Raha ny ahy, ho an'ny tontolo iainana tsirairay sy ny sampana tsirairay, na fampiharana ao anaty container na milina mpampiantrano, dia mampiasa index misaraka izahay. Amin'izany fomba izany dia tsy hijaly ny hafainganan'ny fikarohana rehefa misy angon-drakitra manan-danja. Ny fitsipika tsotra dia ampiasaina amin'ny anarana index: _. Noho izany, mba hahatonga ny kaontenera ho an'ny rehetra, alohan'ny handefasana ny daemon dia manolo isika Sed-th wildcard amin'ny anaran'ny tontolo iainana. Ny faribolan'ny anaran'ny tontolo iainana dia mandalo amin'ny fari-piainan'ny tontolo iainana. Toa mampihomehy.
Tsara ihany koa ny manamarika fa noho ny antony dia tsy misy fiantraikany amin'ny Splunk ny fisian'ny docker parameter hostname. Mbola handefa hazo miaraka amin'ny ID ny fitoerany ao amin'ny sahan'ny mpampiantrano ihany izy. Ho vahaolana dia azonao atao ny mametaka / Etc / hostname avy amin'ny milina mpampiantrano ary amin'ny fanombohana dia manao fanoloana mitovy amin'ny anarana fanondro.
Ohatra docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:roNy vokany
Eny, angamba ny vahaolana dia tsy mety ary azo antoka fa tsy ho an'ny rehetra, satria misy maro "hardcode". Saingy mifototra amin'izany, ny tsirairay dia afaka manangana ny sariny manokana ary mametraka izany ao amin'ny artifactory manokana, raha toa ka mila Splunk Forwarder ao amin'ny Docker ianao.
andinin-tsoratra masina:
Source: www.habr.com