All Apps and Add-ons

Running Splunk in Docker trying to connect to Heroku

dkillian
New Member

I followed steps in "Heroku App for Splunk"...

  • I'm running Docker Splunk
  • Turned on logging (on Heroku)
  • Installed App (Heroku App for Splunk)
  • Switched on port:514 (within Splunk)
  • Ran:
  • heroku drains:add syslog://YOUR_INDEXER'S_IP:PORT_FOR_INPUT --app YOUR_APP_NAME
  • No errors, but no data is being received by Splunk.

The question that I have is that I am using the IP address of the docker container (from "docker inspect").
Do I need to open port 514 on the Docker container?
Any help or insight is appreciated!
-David

0 Karma

codebuilder
SplunkTrust
SplunkTrust

You'll also need to ensure that IP Forwarding is enabled on the OS in order to allow Docker to do what you are attempting.

I don't know Mac OS, but the Linux equivalent is set via sysctl:

net.ipv4.conf.all.forwarding = 1
and/or
net.ipv6.conf.all.forwarding = 1

Without those Docker will never be able to communicate with the outside world.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

mattymo
Splunk Employee
Splunk Employee

Hi dkillian!

Where are you running docker, also what version/flavor?

You will need to expose the port to the host, so that the host machine running docker can bridge or route the external traffic to the container.

Start here:

https://docs.docker.com/v17.09/engine/userguide/networking/default_network/binding/

- MattyMo
0 Karma

dkillian
New Member

Hi mmodestino!

First, thanks for your response! I realized I was a bit too hasty and didn't really provide a lot of info.

Docker
- Version: 18.03.1
- System: Macbook Pro / macOS 10.13.4
- Image: splunk/splunk
- Run command: docker run -d -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_USER=root" -p "8000:8000" -p "514:514" splunk/splunk

I am attempting to receive a log stream from Heroku (via a log drain, with a target IP and port, which I am using my Mac's current IP address). Splunk listens on Port 514. I know I've setup the drain correctly on the Heroku side. I've got nettop running on my Mac and I see data coming in.

It seems like I need to bridge into the container. So I must have setup the run command incorrectly. Not sure what to do...should I just open all of the ports to the container? Can I do that on a running container?

I appreciate your help!!

-dkillian

0 Karma

mattymo
Splunk Employee
Splunk Employee

when you run sudo lsof -i -n -P | grep UDP

Do you see 514 being served by your mac??

I will try this set up as soon as I can and try and provide the docker config.

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...