ProHoster > Blog > Administrasi > Splunk Universal Forwarder di docker salaku kolektor log sistem

Splunk Universal Forwarder di docker salaku kolektor log sistem

Splunk Universal Forwarder di docker salaku kolektor log sistem

Splunk mangrupikeun salah sahiji sababaraha koleksi log komérsial anu paling dikenal sareng produk analisa. Malahan ayeuna, nalika penjualan henteu deui dilakukeun di Rusia, ieu sanés alesan pikeun henteu nyerat petunjuk / kumaha-cara pikeun produk ieu.

tugas: ngumpulkeun log sistem tina titik docker di Splunk tanpa ngarobah konfigurasi mesin host

Abdi hoyong mimitian ku pendekatan resmi, anu katingalina rada anéh nalika nganggo Docker.
Tumbu ka hub Docker
Naon anu urang gaduh:

1. Gambar Pullim

$ docker pull splunk/universalforwarder:latest

2. Mimitian wadahna jeung parameter perlu

$ docker run -d  -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest

3. Urang lebet kana wadahna

docker exec -it <container-id> /bin/bash

Salajengna, urang dipenta pikeun buka alamat dipikawanoh dina dokuméntasi.

Sareng konpigurasikeun wadahna saatos ngamimitian:


./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart

Antosan. Naon?

Tapi kejutan teu mungkas didinya. Upami anjeun ngajalankeun wadah tina gambar resmi dina modeu interaktif, anjeun bakal ningali ieu:

Saeutik kuciwa


$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest

PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019  13:40:38 +0000 (0:00:00.096)       0:00:00.096 *********

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019  13:40:39 +0000 (0:00:01.520)       0:00:01.616 *********

TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.599)       0:00:02.215 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.054)       0:00:02.270 *********

TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.075)       0:00:02.346 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.067)       0:00:02.413 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.060)       0:00:02.473 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.051)       0:00:02.525 *********
Tuesday 09 April 2019  13:40:40 +0000 (0:00:00.056)       0:00:02.582 *********
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.216)       0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.087)       0:00:02.886 *********

TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.324)       0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019  13:40:41 +0000 (0:00:00.094)       0:00:03.305 *********

ну и так далее...

Hebat. Gambarna henteu ngandung artefak. Nyaéta, unggal waktos anjeun ngamimitian bakal butuh waktos pikeun ngaunduh arsip sareng binari, ngabongkar sareng ngonpigurasikeun.
Kumaha upami docker-way sareng sadayana?

Henteu nuhun. Urang bakal nyandak jalur anu béda. Kumaha lamun urang ngalakukeun sagala operasi ieu dina tahap assembly? Lajeng hayu urang balik!

Pikeun henteu reureuh panjang teuing, kuring bakal langsung nunjukkeun anjeun gambar ahir:

dockerfile

# Тут у кого какие предпочтения
FROM centos:7

# Задаём переменные, чтобы каждый раз при старте не указывать их
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license

# Ставим пакеты
# wget - чтобы скачать артефакты
# expect - понадобится для первоначального запуска Splunk на этапе сборки
# jq - используется в скриптах, которые собирают статистику докера
RUN yum install -y epel-release 
    && yum install -y wget expect jq

# Качаем, распаковываем, удаляем
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true' 
    && wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz' 
    && tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 
    && tar -xvf docker-18.09.3.tgz  
    && rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 
    && rm -f docker-18.09.3.tgz

# С shell скриптами всё понятно, а вот inputs.conf, splunkclouduf.spl и first_start.sh нуждаются в пояснении. Об этом расскажу после source тэга.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/

#  Даём права на исполнение, добавляем пользователя и выполняем первоначальную настройку
RUN chmod +x /splunkforwarder/bin/scripts/*.sh 
    && groupadd -r splunk 
    && useradd -r -m -g splunk splunk 
    && echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers 
    && chown -R splunk:splunk $SPLUNK_HOME 
    && /splunkforwarder/bin/first_start.sh 
    && /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme 
    && /splunkforwarder/bin/splunk restart

# Копируем инит скрипты
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]

# По желанию. Кому нужно локально иметь конфиги/логи, кому нет.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]

HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1

ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]

Jadi naon anu dikandung dina

first_start.sh

#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eof

Dina mimiti mimiti Splunk miwarang anjeun masihan eta login a / sandi, tapi data ieu dipaké ngan pikeun ngaéksekusi paréntah administratif pikeun instalasi nu tangtu, nyaeta, di jero wadahna. Dina kasus urang, urang ngan ukur hoyong ngaluncurkeun wadahna supados sadayana jalan sareng log ngalir sapertos walungan. Tangtosna, ieu hardcode, tapi kuring henteu mendakan cara anu sanés.

Salajengna nurutkeun naskah dieksekusi

/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme

splunkclouduf.spl - Ieu mangrupikeun file kredensial pikeun Splunk Universal Forwarder, anu tiasa diunduh tina antarmuka wéb.

Dimana klik pikeun ngundeur (dina gambar)Splunk Universal Forwarder di docker salaku kolektor log sistem

Splunk Universal Forwarder di docker salaku kolektor log sistem
Ieu arsip biasa anu tiasa dibongkar. Di jero aya sertipikat sareng kecap akses pikeun nyambungkeun ka SplunkCloud kami sareng outputs.conf kalawan daptar instansi input urang. Berkas ieu bakal relevan dugi ka anjeun pasang deui pamasangan Splunk anjeun atanapi tambahkeun titik input upami pamasangan aya di tempat. Ku alatan éta, teu aya anu lepat sareng nambihanana di jero wadahna.

Sareng anu terakhir nyaéta ngamimitian deui. Leres, pikeun nerapkeun parobihan, anjeun kedah ngabalikan deui.

Di urang inputs.conf urang tambahkeun log anu urang hoyong kirimkeun ka Splunk. Teu perlu pikeun nambahkeun file ieu gambar lamun, contona, anjeun ngadistribusikaeun configs via wayang. Hiji-hijina hal éta Forwarder ningali configs nalika daemon dimimitian, disebutkeun eta bakal perlu ./splunk balikan deui.

Naon jenis skrip stats docker aranjeunna? Aya solusi heubeul on Github ti jalma luar biasa, Aksara dicokot ti dinya sarta dirobah pikeun gawé kalawan versi ayeuna tina Docker (ce-17. *) sarta Splunk (7. *).

Kalayan data anu dicandak, anjeun tiasa ngawangun ieu

dasbor: (sababaraha gambar)Splunk Universal Forwarder di docker salaku kolektor log sistem

Splunk Universal Forwarder di docker salaku kolektor log sistem
Kodeu sumber pikeun dashes aya dina tautan anu disayogikeun dina tungtung tulisan. Punten dicatet yén aya 2 pilih widang: 1 - pilihan indéks (dipaluruh ku topeng), pilihan host/wadah. Anjeun kamungkinan bakal perlu ngamutahirkeun topeng indéks, gumantung kana ngaran nu Anjeun pake.

Dina kacindekan, abdi hoyong ngagambar perhatian Anjeun ka fungsi ngamimitian () в

entrypoint.sh

start() {
    trap teardown EXIT
	if [ -z $SPLUNK_INDEX ]; then
	echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
	exit 1
	else
	sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
	fi
	sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
    sh -c "echo 'starting' > /tmp/splunk-container.state"
	${SPLUNK_HOME}/bin/splunk start
    watch_for_failure
}

Bisi kuring, pikeun unggal lingkungan sareng unggal éntitas individu, janten aplikasi dina wadah atanapi mesin host, kami nganggo indéks anu misah. Ku cara kieu, laju pilarian moal sangsara lamun aya akumulasi signifikan data. Hiji aturan basajan dipaké pikeun ngaranan indéks: _. Ku alatan éta, supados wadahna janten universal, sateuacan ngaluncurkeun daemon nyalira, urang ngagentos séd-th wildcard kana ngaran lingkungan. Variabel ngaran lingkungan dialirkeun kana variabel lingkungan. Sora pikaseurieun.

Éta ogé sia ​​noting yén pikeun sababaraha alesan Splunk teu kapangaruhan ku ayana parameter docker hostname. Anjeunna masih bakal stubbornly ngirim log kalayan id wadah na di widang host. Salaku solusi, anjeun tiasa pasang / Jsb / hostname ti mesin host na di ngamimitian nyieun panggantian sarupa ngaran indéks.

Conto docker-compose.yml

version: '2'
services:
  splunk-forwarder:
    image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
    environment:
      SPLUNK_INDEX: ${ENVIRONMENT}
    volumes:
    - /etc/hostname:/etc/hostname:ro
    - /var/log:/var/log
    - /var/run/docker.sock:/var/run/docker.sock:ro

hasil

Leres, panginten solusina henteu idéal sareng pasti henteu universal pikeun sadayana, sabab aya seueur "hardcode". Tapi dumasar kana éta, sadayana tiasa ngawangun gambar sorangan sareng nempatkeun kana artifactory pribadina, upami, sakumaha anu kajantenan, anjeun peryogi Splunk Forwarder di Docker.

Rujukan:

Solusi tina artikel
Hiji leyuran ti outcoldman nu mere ilham urang ngagunakeun deui sababaraha fungsi
Tina. dokuméntasi pikeun nyetél Universal Forwarder

sumber: www.habr.com

Mésér hosting anu dipercaya pikeun situs anu gaduh panyalindungan DDoS, server VPS VDS 🔥 Meser hosting situs wéb anu tiasa dipercaya nganggo panyalindungan DDoS, server VPS VDS | ProHoster