Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

How to enable receiving? #32

Closed
LorenKeagle opened this issue Oct 9, 2018 · 4 comments
Closed

How to enable receiving? #32

LorenKeagle opened this issue Oct 9, 2018 · 4 comments

Comments

@LorenKeagle
Copy link

How do I start a new container with receiving enabled on port 9997?

This seems like a very common use case, yet I don't see any options to automate this. I'm simply trying to set up a demo environment with both splunk and splunk-uf containers.

For that matter, how can I set up a forwarder container to automatically forward to a standalone container?
@bb03
Copy link
Contributor

bb03 commented Oct 10, 2018

Hi Loren,
If you look at the test_scenarios directory, you should see the 1so1uf.yaml example. It currently sets up a universal forwarder and a standalone instance, and the forwarder forwards to the instance. To accept incoming requests on the standalone instance, all you would need to do for that service is to expose port 9997. Something like this

    ports:
      - 8000
      - 8089
      - 9997

Make the modification and then start the scenario by doing

docker-compose up -f 1uf1so.yaml

Once configuration completes, you can check the port mapping using docker ps. Look and see what port was mapped to 9997 and then use that when configuring forwarders outside of the deployment. This play will also automatically configure receiving on the so1 container.

If you are configuring the uf to forward to a splunk instance outside of the deployment, file an issue. It should be straightforward, but it looks like we don't automatically set that up right now.

Let me know if you have additional questions.

@LorenKeagle
Copy link
Author

I see. I was assuming that receiving wasn't enabled because the receiving port listing wasn't where I thought it was. I see 9997 enabled now under "Settings"->"Forwarding and receiving"->"Configure receiving".

However, now I'm running into another issue. When I stop my docker container for the splunk forwarder, and bring it up again (i.e. simple 'docker-compose down' then a 'docker-compose up'), The forwarder container always fails when setting up forwarding. The error is:

splunkforwarder_1 | failed: [localhost] (item=splunk) => {"attempts": 1, "changed": true, "cmd": ["/opt/splunkforwarder/bin/splunk", "add", "forward-server", "splunk:9997", "-auth", "admin:password"], "delta": "0:00:00.947455", "end": "2018-10-12 07:52:11.508661", "item": "splunk", "msg": "non-zero return code", "rc": 22, "start": "2018-10-12 07:52:10.561206", "stderr": "splunk:9997 forwarded-server already present", "stderr_lines": ["splunk:9997 forwarded-server already present"], "stdout": "", "stdout_lines": []}

After this, the container shuts down. Should I expect to have to rebuild the forwarding container every time, or is this just a bug in the ansible script and it should fail silently if the forwarding is already configured?

@nwang92
Copy link
Contributor

nwang92 commented Oct 12, 2018

@LorenKeagle this looks like an idempotency issue in the local ansible plays. Thanks for pointing this out, I'll get this addressed!

@nwang92 nwang92 mentioned this issue Oct 15, 2018
Merged
@nwang92
Copy link
Contributor

nwang92 commented Oct 23, 2018

Closing due to PR made above; this fix should be included in the next image push we make

@nwang92 nwang92 closed this as completed Oct 23, 2018
@LorenKeagle LorenKeagle mentioned this issue Jan 29, 2019
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bb03 @nwang92 @LorenKeagle