今天根據官網的圖,自己畫了splunk 的架構圖:
1: CM ( cluster mastering server)
這台server 扮演的角色:
a: search head master node (給其他 search head node 提供master uri)
操作方法:(在search head node 的splunk 管理界面:setting --> index clustering--> eable index cluster 後,有把node 變成search head node)
b: index server node 提供master, 這個可以看出:下圖的peer 都是indexer server. ( 這個在index clustering 可以進行添加 peer),
操作方法: 在index node 的splunk 管理界面: setting --> index clustering--> eable index cluster 後,有把node 變成index peer)
上面的兩個role 在下圖的中間部分的圖展現出來的:master Node 在中間:圖上面是search head cluster, 下面是idnex peers.
2: DS ( Deployment server)
在上圖的最下面:
DS server 通過foward mangement 來管理每個client (deployment client), 就是上圖的下面的 forwarder, forwarder 來通過 syslog-ng 來收集 每個application server 上面的 log.
重點:
DS server 通過: 每個app-deployment 下面的output 檔案來把資料從forwarder 向 上面的indexer 傳送:
[email protected]:~# cat /srv/splunk/etc/deployment-apps/forwarders-XXX/default/outputs.conf
[tcpout]
defaultGroup = XXX_indexers
[tcpout:XXX_indexers]
server = 172.18.0.3:9997,172.18.0.4:9997,172.18.0.5:9997
注意:
上面forwarder 是怎麼被DS sever 連接配接和管理的,也是通過在每個forward 機器上面的outputs.conf 檔案來實作的。
上面的綠色部分就是上面index 機器,這樣就可以報資料的來源: 從浏覽器通路查詢,到app client 給串聯起來了。
參考: Extended example: Deploy configurations to several forwarders - Splunk Documentation
上面參考的Link, 我截取的注意點:
On the deployment server:
1. Create directories for the deployment apps.
2. Use forwarder management to create the set of server classes for the deployment clients (forwarders). You'll create two server classes to represent the two OS types (Windows, Linux). Each server class will map a set of clients to two separate apps, for a total of four apps. These apps, defined in a later step, encapsulate:
- The type of input -- the data that the universal forwarder will monitor (Windows event logs or Linux messages).
- The type of output -- the indexer the forwarder will send data to (SPLUNK1 or SPLUNK2).
This configuration results in each universal forwarder belonging to a server class and receiving two apps: one for its inputs and one for its outputs.
Note: You can also create the server classes directly in
serverclass.conf
, as described below in Configure server classes in serverclass.conf.
3. Populate the app directories with the contents of the apps. Each app consists of a configuration file, either
outputs.conf
or
inputs.conf
.
4. Deploy the apps by reloading the deployment server.
After a short delay (while the forwarders receive and act upon their deployed content), Windows event logs begin flowing from Fflanda-WIN1 to Fflanda-SPLUNK1, and /var/log/messages begin flowing from Fflanda-LINUX1 and Fflanda-LINUX2 to Fflanda-SPLUNK2.