O le Splunk o se tasi o le tele o fa'aputuga o ogalaau fa'apisinisi e sili ona iloa ma au'ili'ili oloa. E oʻo lava i le taimi nei, pe a le toe faia faʻatau i Rusia, e le o se mafuaaga lea e le tusia ai faʻatonuga / faʻafefea mo lenei oloa.
Faamoemoega: aoina ogalaau faiga mai nodes docker i Splunk e aunoa ma le suia o le faatulagaga o masini talimalo
Ou te fia amata i le auala aloaia, lea e foliga ese pe a faʻaaoga Docker.
O a mea tatou te maua:
1. Ata Pullim
$ docker pull splunk/universalforwarder:latest2. Amata le koneteina ma taʻiala talafeagai
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest3. Matou te o i totonu o le koneteina
docker exec -it <container-id> /bin/bashLe isi, ua talosagaina i matou e alu i se tuatusi iloa i totonu o faʻamaumauga.
Ma fetuutuunai le koneteina pe a uma ona amata:
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
Faatali. O le ā?
Ae e le gata ai iina mea e ofo ai. Afai e te faʻataʻitaʻiina le atigipusa mai le ata aloaia i le faiga faʻafesoʻotaʻi, o le a e vaʻai i mea nei:
O sina le fiafia
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
ну и так далее...
Matagofie. O le ata e le'o iai fo'i se mea. O lona uiga, o taimi uma e te amata ai o le a umi se taimi e sii mai ai le faʻamaumauga ma binaries, tatala ma faʻapipiʻi.
Ae fa'afefea le docker-way ma mea uma?
Leai faafetai. E ese le auala tatou te ui ai. Ae fa'apefea pe a tatou faia uma nei gaioiga i le fa'apotopotoga? Ona tatou o ai lea!
Ina ia aua nei tuai tele, o le a ou faaali atu ia te oe le ata mulimuli i le taimi lava lena:
faila faila
# Тут у кого какие предпочтения
FROM centos:7
# Задаём переменные, чтобы каждый раз при старте не указывать их
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# Ставим пакеты
# wget - чтобы скачать артефакты
# expect - понадобится для первоначального запуска Splunk на этапе сборки
# jq - используется в скриптах, которые собирают статистику докера
RUN yum install -y epel-release
&& yum install -y wget expect jq
# Качаем, распаковываем, удаляем
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# С shell скриптами всё понятно, а вот inputs.conf, splunkclouduf.spl и first_start.sh нуждаются в пояснении. Об этом расскажу после source тэга.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# Даём права на исполнение, добавляем пользователя и выполняем первоначальную настройку
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# Копируем инит скрипты
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# По желанию. Кому нужно локально иметь конфиги/логи, кому нет.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]O le mea la o loo i totonu
first_start.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eofI le amataga muamua, ua fai atu Splunk ia te oe e tuʻuina atu i ai se saini / password, AE faʻaaogaina nei faʻamatalaga ae e fa'atino fa'atonuga fa'atonu mo lena fa'apipi'i fa'apitoa, o lona uiga, i totonu o le koneteina. I le matou tulaga, matou te manaʻo e faʻalauiloa le atigipusa ina ia aoga mea uma ma tafe mai ogalaau pei o se vaitafe. Ioe, o le hardcode lenei, ae ou te leʻi mauaina se isi auala.
E le gata i lea e tusa ai ma le faʻasologa o loʻo faʻatinoina
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changemesplunkclouduf.spl - O se faila faʻamaonia mo Splunk Universal Forwarder, lea e mafai ona sii mai i luga ole initaneti.
O fea e kiliki e sii mai ai (i ata)
Ose fa'amaumauga masani lea e mafai ona tatala. O totonu o loʻo i ai tusi faamaonia ma se faʻaupuga mo le faʻafesoʻotaʻi i la matou SplunkCloud ma outputs.conf fa'atasi ai ma se lisi oa matou fa'aoga fa'atino. O lenei faila o le a talafeagai seia e toe faʻapipiʻi lau faʻapipiʻi Splunk pe faʻaopoopo se node faʻapipiʻi pe afai o le faʻapipiʻi o loʻo i luga ole fale. O le mea lea, e leai se mea sese i le faʻaopopoina i totonu o le pusa.
Ma o le mea mulimuli o le toe amata. Ioe, ina ia faʻaoga suiga, e tatau ona e toe amataina.
I la tatou inputs.conf matou te faʻaopoopoina ogalaau matou te manaʻo e lafo i Splunk. E le manaʻomia le faʻaopoopoina o lenei faila i le ata pe afai, mo se faʻataʻitaʻiga, e te tufatufaina configs e ala i papeti. Pau lava le mea e vaʻaia e Forwarder le faʻapipiʻi pe a amata le daemon, a leai o le a manaʻomia ./splunk toe amata.
O le a le ituaiga o fa'amaumauga o fa'amaumauga a le docker? O loʻo i ai se fofo tuai ile Github mai , o tusitusiga na ave mai iina ma suia e galulue faatasi ma lomiga o loʻo iai nei Docker (ce-17.*) ma Splunk (7.*).
Faatasi ai ma faʻamatalaga na maua, e mafai ona e fausia mea nei
dashboards: (o ni ata se lua)
O le fa'ailoga fa'apogai mo vase o lo'o i le so'oga o lo'o tu'uina atu i le fa'ai'uga o le tala. Faamolemole ia matau e 2 vaega filifilia: 1 - index selection (su'esu'e ile mask), host/container selection. Atonu e te manaʻomia le faʻafouina o le index mask, e faʻatatau i igoa e te faʻaogaina.
I le faaiuga, ou te fia tosina atu lou mafaufau i le galuega amata() в
entrypoint.sh
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}I loʻu tulaga, mo siʻosiʻomaga taʻitasi ma faʻalapotopotoga taʻitasi, pe o se talosaga i totonu o se atigipusa poʻo se masini talimalo, matou te faʻaogaina se faʻailoga eseese. I lenei auala, o le a le pagatia le saoasaoa o sailiga pe a iai se faʻaputuga tele o faʻamaumauga. E fa'aaoga se tulafono faigofie e ta'u ai fa'asino igoa: _. O le mea lea, ina ia mafai ona faʻasalalau le pusa, aʻo leʻi faʻalauiloaina le daemon lava ia, matou te sui i-th wildcard i le igoa ole siosiomaga. Ole suiga ole igoa ole siosiomaga e pasi ile fesuiaiga ole siosiomaga. E foliga malie.
E taua foi le maitauina o nisi mafuaʻaga e le afaina ai Splunk i le i ai o le faʻamaufaʻailoga igoa faʻailoga. O le a ia auina atu pea ma le lotomaaa o ogalaau ma le id o lana koneteina i le fanua talimalo. I le avea ai o se fofo, e mafai ona e faʻapipiʻi / etc / igoa ole igoa mai le masini talimalo ma i le amataga faia sui e tutusa ma igoa faasino igoa.
Fa'ata'ita'iga docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:roLe iʻuga
Ioe, masalo o le fofo e le lelei ma e mautinoa e le o se mea lautele mo tagata uma, talu ai e tele "fa'atonuga". Ae faʻavae i luga, e mafai e tagata uma ona fausia a latou lava ata ma tuʻu i totonu o latou fale faʻapitoa, pe afai, pe a tupu, e te manaʻomia Splunk Forwarder i Docker.
Faʻamatalaga:
puna: www.habr.com