ProHoster > Blog > Tsamaiso > Splunk Universal Forwarder sebakeng sa boema-kepe e le pokello ea lits'oants'o tsa sistimi

Splunk Universal Forwarder sebakeng sa boema-kepe e le pokello ea lits'oants'o tsa sistimi

Splunk Universal Forwarder sebakeng sa boema-kepe e le pokello ea lits'oants'o tsa sistimi

Splunk ke e 'ngoe ea tse ngata tse tsebahalang ka ho fetesisa tsa pokello le lihlahisoa tsa tlhahlobo. Esita le hona joale, ha thekiso e se e sa etsoa Russia, sena hase lebaka la ho se ngole litaelo / mokhoa oa ho etsa sehlahisoa sena.

Sepheo: bokella lits'oants'o tsa sistimi ho li-node tsa docker ho Splunk ntle le ho fetola tlhophiso ea mochini o amohelang

Ke kopa ho qala ka mokhoa oa semmuso, o shebahalang o makatsa ha o sebelisa Docker.
Sehokela ho hub ea Docker
Re na le eng:

1. Setšoantšo sa Pullim

$ docker pull splunk/universalforwarder:latest

2. Qala setshelo ka li-parameter tse hlokahalang

$ docker run -d  -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest

3. Re kena ka har'a setshelo

docker exec -it <container-id> /bin/bash

Ka mor'a moo, re kōptjoa ho ea atereseng e tsejoang ka har'a litokomane.

'Me u lokise setshelo ka mor'a hore se qale:


./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart

Ema. Eng?

Empa lintho tse makatsang ha li felle moo. Haeba o tsamaisa setshelo ho tsoa setšoantšong sa semmuso ka mokhoa o kopanetsoeng, o tla bona tse latelang:

Ho soetseha hanyane


$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest

PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019  13:40:38 +0000 (0:00:00.096)       0:00:00.096 *********

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019  13:40:39 +0000 (0:00:01.520)       0:00:01.616 *********

TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.599)       0:00:02.215 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.054)       0:00:02.270 *********

TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.075)       0:00:02.346 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.067)       0:00:02.413 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.060)       0:00:02.473 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.051)       0:00:02.525 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.056)       0:00:02.582 *********
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.216)       0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.087)       0:00:02.886 *********

TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.324)       0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.094)       0:00:03.305 *********

ну и так далее...

E kholo. Setšoantšo sena ha se na le lintho tsa khale. Ka mantsoe a mang, nako le nako ha u qala ho tla nka nako ho khoasolla polokelo ka li-binaries, ho e notlolla le ho e hlophisa.
Ho thoe'ng ka docker-way le tseo tsohle?

Che kea leboha. Re tla nka tsela e fapaneng. Ho thoe'ng haeba re etsa mesebetsi ee kaofela sethaleng? Joale ha re tsamaee!

E le hore u se ke ua lieha nako e telele haholo, ke tla u bontša setšoantšo sa ho qetela hang-hang:

dockerfile

# Тут у кого какие предпочтения
FROM centos:7

# Задаём переменные, чтобы каждый раз при старте не указывать их
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license

# Ставим пакеты
# wget - чтобы скачать артефакты
# expect - понадобится для первоначального запуска Splunk на этапе сборки
# jq - используется в скриптах, которые собирают статистику докера
RUN yum install -y epel-release 
    && yum install -y wget expect jq

# Качаем, распаковываем, удаляем
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true' 
    && wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz' 
    && tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 
    && tar -xvf docker-18.09.3.tgz  
    && rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 
    && rm -f docker-18.09.3.tgz

# С shell скриптами всё понятно, а вот inputs.conf, splunkclouduf.spl и first_start.sh нуждаются в пояснении. Об этом расскажу после source тэга.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/

#  Даём права на исполнение, добавляем пользователя и выполняем первоначальную настройку
RUN chmod +x /splunkforwarder/bin/scripts/*.sh 
    && groupadd -r splunk 
    && useradd -r -m -g splunk splunk 
    && echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers 
    && chown -R splunk:splunk $SPLUNK_HOME 
    && /splunkforwarder/bin/first_start.sh 
    && /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme 
    && /splunkforwarder/bin/splunk restart

# Копируем инит скрипты
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]

# По желанию. Кому нужно локально иметь конфиги/логи, кому нет.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]

HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1

ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]

Kahoo se fuperoeng ke

first_start.sh

#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eof

Qalong ea pele, Splunk e u kopa hore u fane ka ho kena / phasewete, EMPA data ena e sebelisoa feela ho phethahatsa litaelo tsa tsamaiso bakeng sa tlhomamiso eo e itseng, ke hore, ka har'a setshelo. Tabeng ea rona, re mpa re batla ho qala setshelo e le hore ntho e 'ngoe le e' ngoe e sebetse 'me lifate li phalla joaloka nōka. Ehlile, ena ke hardcode, empa ha ke so fumane mekhoa e meng.

Ho feta moo ho latela script e phethiloe

/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme

splunkclouduf.spl - Ena ke faele ea bopaki bakeng sa Splunk Universal Forwarder, e ka khoasolloang ho tsoa ho sehokelo sa webo.

Moo u ka tobetsang ho khoasolla (ka litšoantšo)Splunk Universal Forwarder sebakeng sa boema-kepe e le pokello ea lits'oants'o tsa sistimi

Splunk Universal Forwarder sebakeng sa boema-kepe e le pokello ea lits'oants'o tsa sistimi
Ena ke polokelo ea kamehla e ka phutholloang. Ka hare ho na le litifikeiti le phasewete bakeng sa ho hokela ho SplunkCloud ea rona le lihlahisoa.conf ka lethathamo la maemo a rona a ho kenya. Faele ena e tla sebetsa ho fihlela o kenya ts'ebetso ea hau ea Splunk hape kapa o eketsa node ea ho kenya haeba ts'ebetso e le teng. Ka hona, ha ho letho le phoso ka ho e kenya ka har'a setshelo.

'Me ntho ea ho qetela ke ho qala hape. Ee, ho sebelisa liphetoho, o hloka ho e qala bocha.

Ka tsa rona inputs.conf re eketsa lintlha tseo re batlang ho li romela ho Splunk. Ha ho hlokahale ho kenya faele ena setšoantšong haeba, ka mohlala, u aba li-configs ka popi. Ntho feela ke hore Forwarder o bona li-configs ha daemon e qala, ho seng joalo e tla hloka ./splunk qala bocha.

Ke li-script tsa lipalo tsa docker tsa mofuta ofe? Ho na le tharollo ea khale ho Github ho tloha outcoldman, mangolo a ile a nkoa moo 'me a fetoloa hore a sebetse le liphetolelo tsa morao-rao tsa Docker (ce-17.*) le Splunk (7.*).

Ka data e fumanoeng, o ka etsa tse latelang

li-dashboards: (litšoantšo tse 'maloa)Splunk Universal Forwarder sebakeng sa boema-kepe e le pokello ea lits'oants'o tsa sistimi

Splunk Universal Forwarder sebakeng sa boema-kepe e le pokello ea lits'oants'o tsa sistimi
Khoutu ea mohloli oa li-dashes e sehokelong se fanoeng qetellong ea sengoloa. Ka kopo hlokomela hore ho na le likarolo tse 2 tse khethiloeng: 1 - khetho ea index (e batlisisitsoeng ka mask), khetho ea moamoheli / setshelo. Mohlomong u tla hloka ho nchafatsa mask a index, ho latela mabitso ao u a sebelisang.

Qetellong, ke rata ho lebisa tlhokomelo ea hau mosebetsing qala () в

sebaka sa ho kena.sh

start() {
    trap teardown EXIT
	if [ -z $SPLUNK_INDEX ]; then
	echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
	exit 1
	else
	sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
	fi
	sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
    sh -c "echo 'starting' > /tmp/splunk-container.state"
	${SPLUNK_HOME}/bin/splunk start
    watch_for_failure
}

Tabeng ea ka, bakeng sa tikoloho e 'ngoe le e' ngoe le mokhatlo o mong le o mong, ekaba kopo ka har'a setshelo kapa mochine o amohelang batho, re sebelisa index e arohaneng. Ka tsela ena, lebelo la ho batla le ke ke la utloa bohloko ha ho e-na le pokello e kholo ea data. Ho sebelisoa molao o bonolo ho reha li-index: _. Ka hona, e le hore setshelo se be bokahohleng, pele re qala daemon ka boeona, re nka sebaka sed-th wildcard lebitsong la tikoloho. Phapang ea lebitso la tikoloho e fetisoa ka mefuta-futa ea tikoloho. E utloahala e qabola.

Hape ke habohlokoa ho hlokomela hore ka lebaka le itseng Splunk ha e amehe ke boteng ba parameter ea docker lebitso la lebotho. O sa ntse a tla romela manganga ka id ea setshelo sa hae tšimong ea baeti. E le tharollo, u ka e phahamisa / joalo / hostname ho tsoa mochining o amohelang 'me ha o qala ho etsa tse ling tse tšoanang le mabitso a index.

Mohlala docker-compose.yml

version: '2'
services:
  splunk-forwarder:
    image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
    environment:
      SPLUNK_INDEX: ${ENVIRONMENT}
    volumes:
    - /etc/hostname:/etc/hostname:ro
    - /var/log:/var/log
    - /var/run/docker.sock:/var/run/docker.sock:ro

Phello

E, mohlomong tharollo ha ea lokela ’me ka sebele ha se ea bokahohleng bakeng sa bohle, kaha ho na le ba bangata "hardcode". Empa ho itšetlehile ka eona, motho e mong le e mong a ka iketsetsa setšoantšo sa hae 'me a se beha ka har'a maiketsetso a bona, haeba, ha ho etsahala, o hloka Splunk Forwarder ho Docker.

Lipeeletso:

Tharollo ho tsoa sehloohong
Tharollo e tsoang ho outcoldman e re khothalelitseng ho sebelisa tse ling tsa ts'ebetso hape
Ea. litokomane tsa ho theha Universal Forwarder

Source: www.habr.com

Eketsa ka tlhaloso