Splunk waa mid ka mid ah dhowr ka mid ah alaabooyinka ururinta iyo falanqaynta ganacsiga ee aadka loo aqoonsan karo. Xitaa hadda, marka iibka aan lagu sameynin Ruushka, tani maaha sabab aan loo qorin tilmaamaha / sida loo isticmaalo alaabtan.
UjeeddoKa soo ururi diiwaannada nidaamka qanjidhada docker ee Splunk adoon bedelin qaabeynta mashiinka martida loo yahay
Waxaan jeclaan lahaa inaan ku bilaabo habka rasmiga ah, kaas oo u muuqda xoogaa la yaab leh marka la isticmaalayo Docker.
Maxaan haysanaa:
1. Sawirka Pullim
$ docker pull splunk/universalforwarder:latest2. Ku billow weelka oo leh cabbirrada lagama maarmaanka ah
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest3. Waxaan galnaa weelka
docker exec -it <container-id> /bin/bashMarka xigta, waxaa naloo waydiistaa inaan aadno cinwaan la yaqaan oo dukumentiga ku jira.
Oo habee weelka ka dib markuu bilaabo:
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
Sug Waa maxay?
Laakin yaabku intaas kuma eka. Haddii aad ka waddo weelka sawirka rasmiga ah ee qaabka is-dhexgalka, waxaad arki doontaa kuwan soo socda:
Xoogaa niyad jab
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
Π½Ρ ΠΈ ΡΠ°ΠΊ Π΄Π°Π»Π΅Π΅...
Wayn Sawirku xitaa kuma jiro farshaxan. Taasi waa, mar kasta oo aad bilowdo waxay qaadan doontaa wakhti aad ku soo dejiso kaydka iyada oo la adeegsanayo binaries, ka fur iyo habayn.
Ka waran docker-way iyo waxaas oo dhan?
Maya mahadsanid. Waxaan mari doonaa waddo kale. Ka warran haddaynu dhammaan hawlgalladan ku samayno marxaladda isu imaatinka? Markaa ina keen!
Si aanan u daahin waqti dheer, waxaan ku tusi doonaa sawirka ugu dambeeya isla markiiba:
Dockerfile
# Π’ΡΡ Ρ ΠΊΠΎΠ³ΠΎ ΠΊΠ°ΠΊΠΈΠ΅ ΠΏΡΠ΅Π΄ΠΏΠΎΡΡΠ΅Π½ΠΈΡ
FROM centos:7
# ΠΠ°Π΄Π°ΡΠΌ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅, ΡΡΠΎΠ±Ρ ΠΊΠ°ΠΆΠ΄ΡΠΉ ΡΠ°Π· ΠΏΡΠΈ ΡΡΠ°ΡΡΠ΅ Π½Π΅ ΡΠΊΠ°Π·ΡΠ²Π°ΡΡ ΠΈΡ
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# Π‘ΡΠ°Π²ΠΈΠΌ ΠΏΠ°ΠΊΠ΅ΡΡ
# wget - ΡΡΠΎΠ±Ρ ΡΠΊΠ°ΡΠ°ΡΡ Π°ΡΡΠ΅ΡΠ°ΠΊΡΡ
# expect - ΠΏΠΎΠ½Π°Π΄ΠΎΠ±ΠΈΡΡΡ Π΄Π»Ρ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΠΎΠ³ΠΎ Π·Π°ΠΏΡΡΠΊΠ° Splunk Π½Π° ΡΡΠ°ΠΏΠ΅ ΡΠ±ΠΎΡΠΊΠΈ
# jq - ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π² ΡΠΊΡΠΈΠΏΡΠ°Ρ
, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΠΎΠ±ΠΈΡΠ°ΡΡ ΡΡΠ°ΡΠΈΡΡΠΈΠΊΡ Π΄ΠΎΠΊΠ΅ΡΠ°
RUN yum install -y epel-release
&& yum install -y wget expect jq
# ΠΠ°ΡΠ°Π΅ΠΌ, ΡΠ°ΡΠΏΠ°ΠΊΠΎΠ²ΡΠ²Π°Π΅ΠΌ, ΡΠ΄Π°Π»ΡΠ΅ΠΌ
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# Π‘ shell ΡΠΊΡΠΈΠΏΡΠ°ΠΌΠΈ Π²ΡΡ ΠΏΠΎΠ½ΡΡΠ½ΠΎ, Π° Π²ΠΎΡ inputs.conf, splunkclouduf.spl ΠΈ first_start.sh Π½ΡΠΆΠ΄Π°ΡΡΡΡ Π² ΠΏΠΎΡΡΠ½Π΅Π½ΠΈΠΈ. ΠΠ± ΡΡΠΎΠΌ ΡΠ°ΡΡΠΊΠ°ΠΆΡ ΠΏΠΎΡΠ»Π΅ source ΡΡΠ³Π°.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# ΠΠ°ΡΠΌ ΠΏΡΠ°Π²Π° Π½Π° ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅, Π΄ΠΎΠ±Π°Π²Π»ΡΠ΅ΠΌ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ ΠΈ Π²ΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΡΡ Π½Π°ΡΡΡΠΎΠΉΠΊΡ
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# ΠΠΎΠΏΠΈΡΡΠ΅ΠΌ ΠΈΠ½ΠΈΡ ΡΠΊΡΠΈΠΏΡΡ
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# ΠΠΎ ΠΆΠ΅Π»Π°Π½ΠΈΡ. ΠΠΎΠΌΡ Π½ΡΠΆΠ½ΠΎ Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎ ΠΈΠΌΠ΅ΡΡ ΠΊΠΎΠ½ΡΠΈΠ³ΠΈ/Π»ΠΎΠ³ΠΈ, ΠΊΠΎΠΌΡ Π½Π΅Ρ.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]Haddaba maxaa ku jira
marka hore_bilow.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eofBilawga koowaad, Splunk wuxuu ku weydiinayaa inaad siiso login/password, LAAKIIN xogtan waa la isticmaalaa oo keliya si loo fuliyo awaamiirta maamulka ee rakibaaddaas gaarka ah, taas oo ah, gudaha weelka. Xaaladeena, waxaan rabnaa oo kaliya in aan furno weelka si ay wax walba u shaqeeyaan oo looxyadu u qulqulaan sida webi. Dabcan, kani waa hardcode, laakiin ma helin siyaabo kale.
Dheeraad ah sida ku cad qoraalka waa la fuliyay
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changemesplunkclouuf.spl - Kani waa faylka aqoonsiga ee Splunk Universal Forwarder, kaas oo laga soo dejisan karo interface interface.
Halka aad gujiso si aad u soo dejiso (sawiro)
Kani waa kayd caadi ah oo la furi karo Gudaha waxaa yaal shahaadooyin iyo furaha sirta ah ee lagu xirayo SplunkCloud iyo wax soo saarka.conf oo wata liiska tusaalayaashayada wax gelinta. Faylkan wuxuu ahaan doonaa mid khuseeya ilaa aad dib ugu rakibto rakibaadda Splunk ama aad ku darto noode gelinta haddii rakibiddu ay tahay goobta. Sidaa darteed, ma jiraan wax khalad ah in lagu daro gudaha weelka.
Iyo waxa ugu dambeeya waa dib u bilow. Haa, si aad u dabaqdo isbeddelada, waxaad u baahan tahay inaad dib u bilowdo.
In our wax gelinta.conf Waxaan ku darnaa logyada aan rabno inaan u dirno Splunk. Muhiim ma aha in faylkan lagu daro sawirka haddii, tusaale ahaan, aad u qaybiso qaabaynta adigoo isticmaalaya puppet. Waxa kaliya ayaa ah in Forwarder uu arko qaabeynta marka daemon-ku bilowdo, haddii kale waxay u baahan doontaa ./splunk dib u bilow.
Waa maxay nooca docker stats scripts? Waxaa jira xal hore on Github ka , Qoraallada ayaa laga soo qaatay halkaas oo wax laga beddelay si ay ula shaqeeyaan noocyada hadda ee Docker (ce-17.*) iyo Splunk (7.*).
Xogta la helay, waxaad dhisi kartaa kuwan soo socda
dashboards: (laba sawir)
Koodhka isha ee xarashka ayaa ku jira isku xirka lagu bixiyay dhamaadka maqaalka. Fadlan ogow inay jiraan 2 goobood oo la xusho: 1 - xulashada tusaha (oo lagu raadiyo maaskaro), xulashada martida/koonteenarada. Waxay u badan tahay inaad u baahan doonto inaad cusboonaysiiso maaskarada tusaha, iyadoo ku xidhan magacyada aad isticmaasho.
Gabagabadii, waxaan jeclaan lahaa inaan dareenkaaga ku soo jeediyo shaqada bilow() Π²
meesha laga soo galo.sh
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}Xaaladeyda, deegaan kasta iyo cid kasta oo gaar ah, ha noqoto codsi ku jira weel ama mashiinka martida loo yahay, waxaan isticmaalnaa tilmaamo gaar ah. Sidan, xawaaraha raadinta ma dhibtoon doono marka ay jirto xog ururin weyn. Xeer fudud ayaa loo adeegsadaa in lagu magacaabo tusmooyinka: _. Sidaa darteed, si weelku u noqdo mid caalami ah, ka hor inta aan la bilaabin daemon laftiisa, waxaanu bedelnaa sed- th duurjoogta ah magaca deegaanka. Doorsoomka magaca deegaanka waxa loo maraa doorsoomayaasha deegaanka. Waxay u muuqataa qosol
Waxa kale oo xusid mudan in sabab qaar ka mid ah Splunk aanu saamayn ku yeelan joogitaanka xadka docker magaca aqalka. Wuxuu weli si madax adeyg ah u soo diri doonaa qoryo uu ku qoran yahay id weelkiisa oo ku dhex jira goobta martida loo yahay. Xalka ahaan, waad fuuli kartaa / etc / hostname laga bilaabo mishiinka martida loo yahay iyo bilawga samee beddelaadyo la mid ah magacyada tusmooyinka.
Tusaale docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:roNatiijada
Haa, malaha xalku maaha mid ku haboon oo hubaal maaha mid caalami ah qof walba, maadaama ay jiraan kuwo badan "hardcode". Laakiin iyada oo ku saleysan, qof kastaa wuu dhisi karaa muuqaalkiisa oo wuxuu gelin karaa farshaxankiisa gaarka ah, haddii, sida ay dhacdo, waxaad u baahan tahay Splunk Forwarder ee Docker.
Tixraacyada:
Source: www.habr.com