Ko Splunk tetahi o nga kohinga rangitaki arumoni me nga hua tātaritanga rongonui. Ahakoa inaianei, ka kore e hokona nga hoko i Ruhia, ehara tenei i te take kia kaua e tuhi tohutohu/me pehea te mahi mo tenei hua.
Whāinga: kohia nga raarangi punaha mai i nga kohanga docker i Splunk me te kore e whakarereke i te whirihoranga miihini manaaki
Kei te pirangi au ki te tiimata me te huarahi whaimana, he ahua ke nei i te wa e whakamahi ana i a Docker.
He aha ta tatou:
1. Whakaahua Pullim
$ docker pull splunk/universalforwarder:latest2. Tīmatahia te ipu me nga tawhā e tika ana
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest3. Ka haere ki roto i te ipu
docker exec -it <container-id> /bin/bashI muri mai, ka tonohia kia haere ki tetahi wahitau e mohiotia ana i roto i nga tuhinga.
Na ka whirihora i te ipu i muri i te tiimata:
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
Tatari. He aha?
Engari kaore e mutu i reira nga mea miharo. Mena ka whakahaerehia e koe te ipu mai i te ahua whai mana i roto i te aratau tauwhitiwhiti, ka kite koe i enei e whai ake nei:
He iti te pouri
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
ну и так далее...
Nui. Karekau he toi i roto i te ahua. Arā, i nga wa katoa ka timata koe ka roa te wa ki te tango i te puranga me nga rua, wetewete me te whirihora.
Me pehea te docker-way me era katoa?
Karekau he mihi. He huarahi ke atu ta maatau. He aha mena ka mahia e matou enei mahi katoa i te waahi huihuinga? Na ka haere tatou!
Kia kore ai e whakaroa roa, ka whakaatu tonu ahau i te ahua whakamutunga:
Dockerfile
# Тут у кого какие предпочтения
FROM centos:7
# Задаём переменные, чтобы каждый раз при старте не указывать их
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# Ставим пакеты
# wget - чтобы скачать артефакты
# expect - понадобится для первоначального запуска Splunk на этапе сборки
# jq - используется в скриптах, которые собирают статистику докера
RUN yum install -y epel-release
&& yum install -y wget expect jq
# Качаем, распаковываем, удаляем
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# С shell скриптами всё понятно, а вот inputs.conf, splunkclouduf.spl и first_start.sh нуждаются в пояснении. Об этом расскажу после source тэга.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# Даём права на исполнение, добавляем пользователя и выполняем первоначальную настройку
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# Копируем инит скрипты
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# По желанию. Кому нужно локально иметь конфиги/логи, кому нет.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]Na he aha kei roto
first_start.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eofI te timatanga tuatahi, ka tono a Splunk ki a koe kia hoatu he takiuru/kupuhipa, ENGARI ka whakamahia enei raraunga anake ki te whakahaere i nga whakahau whakahaere mo tera whakaurunga, ara, ki roto i te ipu. I a matou, ko te hiahia noa ki te whakarewa i te ipu kia pai nga mea katoa, kia rere nga rakau ano he awa. Ae ra, he hardcode tenei, engari kaore au i kitea etahi atu huarahi.
I tua atu i runga i te tuhinga ka mahia
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changemesplunkclouduf.spl — He konae whaimana tenei mo Splunk Universal Forwarder, ka taea te tango mai i te atanga tukutuku.
Kei hea te panui ki te tango (kei nga pikitia)
He pūranga auau tenei ka taea te wetewete. Kei roto nga tiwhikete me te kupuhipa mo te hono atu ki ta maatau SplunkCloud me putanga.conf me te rarangi o a maatau waahi whakauru. Ka whai take tenei konae tae noa ki te whakauru ano i to whakaurunga Splunk, ka taapirihia ranei he node whakauru mena kei te waahi te whakaurunga. No reira, kare he he ki te whakauru ki roto i te ipu.
A ko te mea whakamutunga ko te whakaara ano. Ae, hei tono i nga huringa, me timata ano koe.
I roto i to tatou whakauru.conf tāpirihia e mātou ngā rākau e hiahia ana mātou ki te tuku ki Splunk. Kaore e tika te taapiri i tenei konae ki te ahua mena, hei tauira, ka tohatoha koe i nga whirihora ma te karetao. Ko te mea anake ka kite a Forwarder i nga whirihora i te wa ka tiimata te daemon, mena ka hiahia ./splunk tīmata anō.
He aha te ahua o nga tuhinga tatauranga docker? He otinga tawhito kei runga i a Github mai , i tangohia nga tuhinga mai i reira ka whakarereketia kia mahi me nga putanga o naianei o Docker (ce-17.*) me Splunk (7.*).
Ma nga raraunga kua whiwhi, ka taea e koe te hanga i nga mea e whai ake nei
papatohu: (e rua nga pikitia)
Ko te waehere puna mo nga riipene kei roto i te hono e whakaratohia ana i te mutunga o te tuhinga. Kia mahara mai e 2 nga waahanga kua tohua: 1 - te kowhiringa taurangi (kua rapua e te kanohi kanohi), te kowhiringa kaihautu/puera. Ka hiahia pea koe ki te whakahou i te kopare tohu, i runga i nga ingoa e whakamahia ana e koe.
Hei whakamutunga, e hiahia ana ahau ki te kukume i to aro ki te mahi timata() в
entrypoint.sh
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}I taku keehi, mo ia taiao me ia hinonga takitahi, ahakoa he tono i roto i te ipu, i te miihini manaaki ranei, ka whakamahia e matou he tohu motuhake. I tenei ara, ka kore e mamae te tere rapu ina he nui te kohinga o nga raraunga. Ka whakamahia he ture ngawari hei whakaingoa i nga tohu: _. Na reira, kia noho whanui te ipu, i mua i te whakarewatanga o te daemon ake, ka whakakapihia e matou sed-th kāri mohoao ki te ingoa o te taiao. Ko te taurangi ingoa taiao ka tukuna ma nga taurangi taiao. He tangi rorirori.
He mea tika ano kia mohio koe mo etahi take kaore a Splunk e pa ki te aroaro o te tawhā docker ingoa ingoa. Ka whakapakeke tonu ia ki te tuku rakau me te id o tana ipu ki te mara ope. Hei otinga, ka taea e koe te eke / etc / ingoa ingoa mai i te miihini kaihautu me te tiimata ka hanga whakakapinga rite ki nga ingoa tohu.
Tauira docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:roKo te hua
Ae, tera pea kaore i te pai te otinga me te kore mo te katoa mo te katoa, na te mea he maha "waehere pakeke". Engari i runga i tera, ka taea e te katoa te hanga i o raatau ake ahua ka tuu ki roto i a raatau mahi toi motuhake, mena, ka puta, ka hiahia koe ki te Splunk Forwarder i Docker.
He Tohutoro:
Source: will.com