I-splunk yenye yezona zinto ziyaziwa kakhulu ingqokelela yentengiso kunye neemveliso zohlalutyo. Kwangoku, xa ukuthengiswa kungasakwenziwa eRashiya, oku akusona isizathu sokungabhali imiyalelo / indlela yokwenza le mveliso.
Injongo: qokelela iilogi zenkqubo ukusuka kwi-docker node kwi-Splunk ngaphandle kokutshintsha uqwalaselo lomatshini womkhosi
Ndingathanda ukuqala ngendlela esemthethweni, ekhangeleka ingaqhelekanga xa usebenzisa iDocker.
Yintoni esinayo:
1. Umfanekiso wePullim
$ docker pull splunk/universalforwarder:latest2. Qala isikhongozeli ngeeparamitha eziyimfuneko
$ docker run -d -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/universalforwarder:latest3. Singena kwisitya
docker exec -it <container-id> /bin/bashEmva koko, siyacelwa ukuba siye kwidilesi eyaziwayo kumaxwebhu.
Kwaye uqwalasele isikhongozeli emva kokuba siqalile:
./splunk add forward-server <host name or ip address>:<listening port>
./splunk add monitor /var/log
./splunk restart
Yima. Intoni?
Kodwa izinto ezothusayo azipheli apho. Ukuba uqhuba isikhongozeli ukusuka kumfanekiso osemthethweni kwimowudi yokunxibelelana, uya kubona oku kulandelayo:
Ukuphoxeka kancinci
$ docker run -it -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=password' splunk/universalforwarder:latest
PLAY [Run default Splunk provisioning] *******************************************************************************************************************************************************************************************************
Tuesday 09 April 2019 13:40:38 +0000 (0:00:00.096) 0:00:00.096 *********
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:39 +0000 (0:00:01.520) 0:00:01.616 *********
TASK [Get actual hostname] *******************************************************************************************************************************************************************************************************************
changed: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.599) 0:00:02.215 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.054) 0:00:02.270 *********
TASK [set_fact] ******************************************************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.075) 0:00:02.346 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.067) 0:00:02.413 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.060) 0:00:02.473 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.051) 0:00:02.525 *********
Tuesday 09 April 2019 13:40:40 +0000 (0:00:00.056) 0:00:02.582 *********
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.216) 0:00:02.798 *********
included: /opt/ansible/roles/splunk_common/tasks/change_splunk_directory_owner.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.087) 0:00:02.886 *********
TASK [splunk_common : Update Splunk directory owner] *****************************************************************************************************************************************************************************************
ok: [localhost]
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.324) 0:00:03.210 *********
included: /opt/ansible/roles/splunk_common/tasks/get_facts.yml for localhost
Tuesday 09 April 2019 13:40:41 +0000 (0:00:00.094) 0:00:03.305 *********
ну и так далее...
Kakhulu. Umfanekiso awuqulathanga ne-artifact. Oko kukuthi, ngalo lonke ixesha uqala kuyakuthatha ixesha ukukhuphela indawo yokugcina ngokubini, khupha kwaye uqwalasele.
Kuthekani nge-docker-way kunye nayo yonke loo nto?
Hayi enkosi. Siza kuthatha indlela eyahlukileyo. Kuthekani ukuba yonke le misebenzi siyenza kwinqanaba lendibano? Emva koko masihambe!
Ukuze ungalibazisi ixesha elide, ndiza kukubonisa umfanekiso wokugqibela ngoko nangoko:
dockerfile
# Тут у кого какие предпочтения
FROM centos:7
# Задаём переменные, чтобы каждый раз при старте не указывать их
ENV SPLUNK_HOME /splunkforwarder
ENV SPLUNK_ROLE splunk_heavy_forwarder
ENV SPLUNK_PASSWORD changeme
ENV SPLUNK_START_ARGS --accept-license
# Ставим пакеты
# wget - чтобы скачать артефакты
# expect - понадобится для первоначального запуска Splunk на этапе сборки
# jq - используется в скриптах, которые собирают статистику докера
RUN yum install -y epel-release
&& yum install -y wget expect jq
# Качаем, распаковываем, удаляем
RUN wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'
&& wget -O docker-18.09.3.tgz 'https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz'
&& tar -xvf splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& tar -xvf docker-18.09.3.tgz
&& rm -f splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz
&& rm -f docker-18.09.3.tgz
# С shell скриптами всё понятно, а вот inputs.conf, splunkclouduf.spl и first_start.sh нуждаются в пояснении. Об этом расскажу после source тэга.
COPY [ "inputs.conf", "docker-stats/props.conf", "/splunkforwarder/etc/system/local/" ]
COPY [ "docker-stats/docker_events.sh", "docker-stats/docker_inspect.sh", "docker-stats/docker_stats.sh", "docker-stats/docker_top.sh", "/splunkforwarder/bin/scripts/" ]
COPY splunkclouduf.spl /splunkclouduf.spl
COPY first_start.sh /splunkforwarder/bin/
# Даём права на исполнение, добавляем пользователя и выполняем первоначальную настройку
RUN chmod +x /splunkforwarder/bin/scripts/*.sh
&& groupadd -r splunk
&& useradd -r -m -g splunk splunk
&& echo "%sudo ALL=NOPASSWD:ALL" >> /etc/sudoers
&& chown -R splunk:splunk $SPLUNK_HOME
&& /splunkforwarder/bin/first_start.sh
&& /splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changeme
&& /splunkforwarder/bin/splunk restart
# Копируем инит скрипты
COPY [ "init/entrypoint.sh", "init/checkstate.sh", "/sbin/" ]
# По желанию. Кому нужно локально иметь конфиги/логи, кому нет.
VOLUME [ "/splunkforwarder/etc", "/splunkforwarder/var" ]
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]Ngoko yintoni equlethwe kuyo
qala_qala.sh
#!/usr/bin/expect -f
set timeout -1
spawn /splunkforwarder/bin/splunk start --accept-license
expect "Please enter an administrator username: "
send -- "adminr"
expect "Please enter a new password: "
send -- "changemer"
expect "Please confirm new password: "
send -- "changemer"
expect eofEkuqaleni kokuqala, i-Splunk ikucela ukuba uyinike igama lokungena/igama lokugqitha, KODWA le datha iyasetyenziswa kuphela ukwenza imiyalelo yolawulo yofako oluthile, oko kukuthi, ngaphakathi kwesikhongozeli. Kwimeko yethu, sifuna nje ukuqalisa isitya ukuze yonke into isebenze kwaye iingodo zigeleza njengomlambo. Ewe kunjalo, le yi-hardcode, kodwa andifumananga ezinye iindlela.
Ngokuqhubekayo ngokweskripthi iphunyeziwe
/splunkforwarder/bin/splunk install app /splunkclouduf.spl -auth admin:changemesplunkclouduf.spl - Le yifayile yobungqina be-Splunk Universal Forwarder, enokukhutshelwa kwi-interface yewebhu.
Apho unokucofa ukukhuphela (kwimifanekiso)
Lo nguvimba wesiqhelo onokukhutshwa. Ngaphakathi kukho izatifikethi kunye negama lokugqitha lokuqhagamshela kwiSplunkCloud yethu kunye iziphumo.conf ngoluhlu lwemizekelo yethu yegalelo. Le fayile iya kusebenza de ubuyisele ufakelo lwakho lweSplunk okanye wongeze i node yegalelo ukuba ufakelo luphezu kwendawo. Ngoko ke, akukho nto iphosakeleyo ngokuyongeza ngaphakathi kwisitya.
Kwaye into yokugqibela kukuqalisa kwakhona. Ewe, ukusebenzisa utshintsho, kufuneka uqalise kwakhona.
Kwethu igalelo.conf songeza iinkuni esifuna ukuzithumela kwi-Splunk. Akukho mfuneko yokongeza le fayile kumfanekiso ukuba, umzekelo, usasaza uqwalaselo usebenzisa unopopi. Ekuphela kwento yokuba uMdluliseli ubona uqwalaselo xa i-daemon iqala, kungenjalo iyakufuna ./splunk qala kwakhona.
Loluphi uhlobo lwezikripthi zezibalo ze-docker? Kukho isisombululo esidala kwi-Github ukusuka , izikripthi zathatyathwa apho kwaye zalungiswa ukuze zisebenze kunye neenguqulelo zangoku ze-Docker (ce-17.*) kunye ne-Splunk (7.*).
Ngedatha efunyenweyo, unokwakha oku kulandelayo
iideshibhodi: (imifanekiso embalwa)
Ikhowudi yemvelaphi yeedashi ikwikhonkco elinikeziweyo ekupheleni kwenqaku. Nceda uqaphele ukuba kukho iindawo ezi-2 ezikhethiweyo: i-1 - isalathisi esikhethiweyo (ikhangelwe yimaski), inginginya / ukhetho lwesiqulatho. Kuya kufuneka uhlaziye imaski yesalathiso, ngokuxhomekeke kumagama owasebenzisayo.
Ukuqukumbela, ndingathanda ukutsalela ingqalelo yakho kulo msebenzi qala () в
indawo yokungena.sh
start() {
trap teardown EXIT
if [ -z $SPLUNK_INDEX ]; then
echo "'SPLUNK_INDEX' env variable is empty or not defined. Should be 'dev' or 'prd'." >&2
exit 1
else
sed -e "s/@index@/$SPLUNK_INDEX/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
fi
sed -e "s/@hostname@/$(cat /etc/hostname)/" -i ${SPLUNK_HOME}/etc/system/local/inputs.conf
sh -c "echo 'starting' > /tmp/splunk-container.state"
${SPLUNK_HOME}/bin/splunk start
watch_for_failure
}Kwimeko yam, kwindawo nganye kunye nequmrhu ngalinye, nokuba sisicelo kwisitya okanye kumatshini wokusingatha, sisebenzisa isalathisi esahlukileyo. Ngale ndlela, isantya sokukhangela asiyi kubandezeleka xa kukho ukuqokelela okubalulekileyo kwedatha. Umgaqo olula usetyenziswa ukubiza izalathisi: _. Ke ngoko, ukuze isikhongozeli sibe sendalo yonke, ngaphambi kokuba siqalise i-daemon ngokwayo, siyayitshintsha sed-th wildcard kwigama lokusingqongileyo. Ukuguquguquka kwegama lemeko-bume kugqithiswa kwizinto eziguquguqukayo zemo engqongileyo. Ivakala ihlekisa.
Kuyafaneleka ukuba uqaphele ukuba ngenxa yesizathu esithile i-Splunk ayichatshazelwa bubukho beparamitha yedocker igama lomkhosi. Uya kuthumela ngenkani iinkuni kunye ne-id yesitya sakhe kwintsimi yomkhosi. Njengesisombululo, unokunyuka / njl / igama lomncedisi ukusuka kumatshini wokusingatha kwaye ekuqaliseni yenza utshintshiselwano olufana namagama esalathiso.
Umzekelo docker-compose.yml
version: '2'
services:
splunk-forwarder:
image: "${IMAGE_REPO}/docker-stats-splunk-forwarder:${IMAGE_VERSION}"
environment:
SPLUNK_INDEX: ${ENVIRONMENT}
volumes:
- /etc/hostname:/etc/hostname:ro
- /var/log:/var/log
- /var/run/docker.sock:/var/run/docker.sock:roIsiphumo
Ewe, mhlawumbi isisombululo asifanelekanga kwaye ngokuqinisekileyo asiyiyo yonke into kumntu wonke, kuba baninzi "hardcode". Kodwa ngokusekelwe kuyo, wonke umntu unokwakha umfanekiso wakhe kwaye awubeke kwindawo yakhe yangasese, ukuba, njengoko kwenzekayo, udinga i-Splunk Forwarder kwi-Docker.
Izalathiso:
umthombo: www.habr.com
