Splunk ni mojawapo ya baadhi ya bidhaa zinazotambulika zaidi za ukusanyaji na uchambuzi wa kumbukumbu za kibiashara. Hata sasa, wakati mauzo hayajafanywa tena nchini Urusi, hii sio sababu ya kuandika maagizo / jinsi ya bidhaa hii.
Kazi: kukusanya kumbukumbu za mfumo kutoka kwa nodi za docker katika Splunk bila kubadilisha usanidi wa mashine ya mwenyeji
Ningependa kuanza na mbinu rasmi, ambayo inaonekana ya kushangaza wakati wa kutumia Docker.
Tuna nini:
1. Picha ya Pullim
$ docker pull splunk/universalforwarder:latest2. Anza chombo na vigezo muhimu
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest3. Tunaingia kwenye chombo
docker exec -it <container-id> /bin/bashIfuatayo, tunaulizwa kwenda kwenye anwani inayojulikana katika nyaraka.
Na usanidi chombo baada ya kuanza:
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
Subiri. Nini?
Lakini mshangao hauishii hapo. Ikiwa utaendesha kontena kutoka kwa picha rasmi katika hali ya maingiliano, utaona yafuatayo:
Kukatishwa tamaa kidogo
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
Π½Ρ ΠΈ ΡΠ°ΠΊ Π΄Π°Π»Π΅Π΅...
Kubwa. Picha haina hata vizalia vya programu. Hiyo ni, kila wakati unapoanza itachukua muda kupakua kumbukumbu na jozi, kufungua na kusanidi.
Vipi kuhusu njia ya docker na hayo yote?
Hapana asante. Tutachukua njia tofauti. Je, ikiwa tutafanya shughuli hizi zote katika hatua ya mkusanyiko? Basi twende!
Ili nisicheleweshe kwa muda mrefu sana, nitakuonyesha picha ya mwisho mara moja:
Dockerfile
# Π’ΡΡ Ρ ΠΊΠΎΠ³ΠΎ ΠΊΠ°ΠΊΠΈΠ΅ ΠΏΡΠ΅Π΄ΠΏΠΎΡΡΠ΅Π½ΠΈΡ
FROM centos:7
# ΠΠ°Π΄Π°ΡΠΌ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅, ΡΡΠΎΠ±Ρ ΠΊΠ°ΠΆΠ΄ΡΠΉ ΡΠ°Π· ΠΏΡΠΈ ΡΡΠ°ΡΡΠ΅ Π½Π΅ ΡΠΊΠ°Π·ΡΠ²Π°ΡΡ ΠΈΡ
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# Π‘ΡΠ°Π²ΠΈΠΌ ΠΏΠ°ΠΊΠ΅ΡΡ
# wget - ΡΡΠΎΠ±Ρ ΡΠΊΠ°ΡΠ°ΡΡ Π°ΡΡΠ΅ΡΠ°ΠΊΡΡ
# expect - ΠΏΠΎΠ½Π°Π΄ΠΎΠ±ΠΈΡΡΡ Π΄Π»Ρ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΠΎΠ³ΠΎ Π·Π°ΠΏΡΡΠΊΠ° Splunk Π½Π° ΡΡΠ°ΠΏΠ΅ ΡΠ±ΠΎΡΠΊΠΈ
# jq - ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π² ΡΠΊΡΠΈΠΏΡΠ°Ρ
, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΠΎΠ±ΠΈΡΠ°ΡΡ ΡΡΠ°ΡΠΈΡΡΠΈΠΊΡ Π΄ΠΎΠΊΠ΅ΡΠ°
RUN yum install -y epel-release
&& yum install -y wget expect jq
# ΠΠ°ΡΠ°Π΅ΠΌ, ΡΠ°ΡΠΏΠ°ΠΊΠΎΠ²ΡΠ²Π°Π΅ΠΌ, ΡΠ΄Π°Π»ΡΠ΅ΠΌ
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# Π‘ shell ΡΠΊΡΠΈΠΏΡΠ°ΠΌΠΈ Π²ΡΡ ΠΏΠΎΠ½ΡΡΠ½ΠΎ, Π° Π²ΠΎΡ inputs.conf, splunkclouduf.spl ΠΈ first_start.sh Π½ΡΠΆΠ΄Π°ΡΡΡΡ Π² ΠΏΠΎΡΡΠ½Π΅Π½ΠΈΠΈ. ΠΠ± ΡΡΠΎΠΌ ΡΠ°ΡΡΠΊΠ°ΠΆΡ ΠΏΠΎΡΠ»Π΅ source ΡΡΠ³Π°.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# ΠΠ°ΡΠΌ ΠΏΡΠ°Π²Π° Π½Π° ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅, Π΄ΠΎΠ±Π°Π²Π»ΡΠ΅ΠΌ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ ΠΈ Π²ΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌ ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΡΡ Π½Π°ΡΡΡΠΎΠΉΠΊΡ
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# ΠΠΎΠΏΠΈΡΡΠ΅ΠΌ ΠΈΠ½ΠΈΡ ΡΠΊΡΠΈΠΏΡΡ
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# ΠΠΎ ΠΆΠ΅Π»Π°Π½ΠΈΡ. ΠΠΎΠΌΡ Π½ΡΠΆΠ½ΠΎ Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎ ΠΈΠΌΠ΅ΡΡ ΠΊΠΎΠ½ΡΠΈΠ³ΠΈ/Π»ΠΎΠ³ΠΈ, ΠΊΠΎΠΌΡ Π½Π΅Ρ.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]Kwa hivyo ni nini kilichomo ndani
kwanza_anza.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eofMwanzoni mwa kwanza, Splunk anakuuliza uipe kuingia/nenosiri, LAKINI data hii inatumika tu kutekeleza amri za kiutawala kwa usakinishaji huo, yaani, ndani ya kontena. Kwa upande wetu, tunataka tu kuzindua chombo ili kila kitu kifanye kazi na magogo yatiririke kama mto. Kwa kweli, hii ni hardcode, lakini sijapata njia zingine.
Zaidi kulingana na hati inatekelezwa
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changemesplunkclouduf.spl - Hii ni faili ya kitambulisho ya Splunk Universal Forwarder, ambayo inaweza kupakuliwa kutoka kwa kiolesura cha wavuti.
Mahali pa kubofya ili kupakua (katika picha)
Hii ni kumbukumbu ya kawaida ambayo inaweza kufunguliwa. Ndani ni vyeti na nenosiri la kuunganisha kwenye SplunkCloud yetu na matokeo.conf na orodha ya matukio yetu ya uingizaji. Faili hii itakuwa muhimu hadi usakinishe tena usakinishaji wako wa Splunk au uongeze nodi ya ingizo ikiwa usakinishaji uko kwenye msingi. Kwa hiyo, hakuna chochote kibaya kwa kuiongeza ndani ya chombo.
Na jambo la mwisho ni kuanzisha upya. Ndiyo, ili kutumia mabadiliko, unahitaji kuianzisha upya.
Katika yetu pembejeo.conf tunaongeza kumbukumbu ambazo tunataka kutuma kwa Splunk. Sio lazima kuongeza faili hii kwenye picha ikiwa, kwa mfano, unasambaza configs kupitia puppet. Jambo pekee ni kwamba Forwarder huona usanidi wakati daemon inapoanza, vinginevyo itahitaji ./splunk anzisha upya.
Ni maandishi gani ya takwimu za docker? Kuna suluhisho la zamani kwenye Github kutoka , hati zilichukuliwa kutoka hapo na kurekebishwa ili kufanya kazi na matoleo ya sasa ya Docker (ce-17.*) na Splunk (7.*).
Kwa data iliyopatikana, unaweza kuunda zifuatazo
dashibodi: (picha kadhaa)
Msimbo wa chanzo wa deshi uko kwenye kiungo kilichotolewa mwishoni mwa makala. Tafadhali kumbuka kuwa kuna sehemu 2 zilizochaguliwa: 1 - uteuzi wa faharasa (umetafutwa na kinyago), uteuzi wa mwenyeji/chombo. Labda utahitaji kusasisha kinyago cha faharasa, kulingana na majina unayotumia.
Kwa kumalizia, ningependa kuteka mawazo yako kwa kazi anza () Π²
kiingilio.sh
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}Katika kesi yangu, kwa kila mazingira na kila chombo cha mtu binafsi, iwe ni maombi kwenye chombo au mashine ya mwenyeji, tunatumia index tofauti. Kwa njia hii, kasi ya utafutaji haitateseka wakati kuna mkusanyiko mkubwa wa data. Sheria rahisi hutumiwa kutaja faharisi: _. Kwa hivyo, ili chombo kiwe cha ulimwengu wote, kabla ya kuzindua daemon yenyewe, tunabadilisha kiu-th wildcard kwa jina la mazingira. Tofauti ya jina la mazingira hupitishwa kupitia anuwai za mazingira. Inaonekana funny.
Inafaa pia kuzingatia kuwa kwa sababu fulani Splunk haiathiriwa na uwepo wa parameta ya docker jina la mwenyeji. Bado atatuma kumbukumbu kwa ukaidi na kitambulisho cha kontena lake kwenye uwanja wa mwenyeji. Kama suluhisho, unaweza kupanda / nk / hostname kutoka kwa mashine mwenyeji na wakati wa kuanza fanya uingizwaji sawa na majina ya faharisi.
Mfano docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:roJumla ya
Ndiyo, labda suluhisho sio bora na kwa hakika sio kwa kila mtu, kwa kuwa kuna mengi "hardcode". Lakini kwa kuzingatia hilo, kila mtu anaweza kuunda picha yake mwenyewe na kuiweka kwenye bandia yao ya kibinafsi, ikiwa, kama inavyotokea, unahitaji Splunk Forwarder katika Docker.
Marejeo:
Chanzo: mapenzi.com