- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Home Monitoring with Splunk on Docker
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Home Monitoring with Splunk on Docker
Hey Guys
Very new to Splunk. I want to do the following
1) Install Splunk on Docker on my NAS (Have the basic one done I believe)
2) Forward my DD-WRT router logs to syslog-ng (?) or straight to splunk? I saw a addon, installed it but no data obviously to ingest.
3) Have other docker containers running on NAS - forward their logs to splunk?
Now
1) Do I need Splunk Forwarder docker setup as well?
2) How do I setup Router logs to be sent to forwarder and then to splunk?
3) Or do I install syslog-ng (any knowhow ? ) and then send logs to that and then how will splunk get it?
4) How do I get logs from other containers into splunk?
New to this and want to do a home setup with centralized monitoring on Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.. I setup syslog-ng but nothing is coming to 514 port. I tried various commands to send a test message but syslog ain't recording it (can't see anything on disk). Need to figure that out first.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @FrankVI
Can we use splunk to listen to 514 and send logs there instead of using rsyslog / syslog-ng? Something like http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Monitornetworkports
Or is there an advantage of using a separate syslog?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can do that as well. It is typically not recommended (as you will have data loss during splunk restarts for one reason), so I kept my setup closer to best practice. But if you want to keep things simple, and are not worried about reliability that much for home use, a network input can also work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not too familiar with Docker, but I do have a somewhat similar use case at home, so let me outline how I solved that. It doesn't use Docker, but hopefully that still provides some pointers that you can use to answer some of your questions.
I have a linux VM running in Virtual Box on an Intel NUC. On this VM I have a syslog daemon (rsyslog in my case, but syslog-ng would also work) as well as a single instance Splunk Enterprise installation.
My router (and some other devices) send their syslog to the rsyslog daemon on the VM, rsyslog writes it to disk and Splunk is configured with file monitor inputs to pick it up from there.
To take a stab at your questions:
1: No, I don't think so. I don't see what that would add (apart from the educational purpose of working with a separate forwarder instance).
2+3: I think a setup with a syslog daemon (potentially running in docker) receiving the data and writing to a location on disk that is accessible by your Splunk docker instance would be the way to go.
4: Have the processes running in those other containers write to a disk location that is shared with the Splunk Docker container, such that Splunk can monitor it.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
