1:先参考一下官网的例子:https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Extendedexampledeployseveralstandardforwarders
先看一下架构:
2:我自己的架构:
| HOSTNAME | IP ADDRESS | FUNCTION | Port | Comments |
| ds01 | 172.18.0.4 | DS | 8001 | Manage forwarder |
| uf1 | 172.18.0.3 | forwarder | Xinxin app | |
| fd01 | 172.18.0.2 | forwarder | Rong app | |
| sh01 | 172.18.0.5 | forwarder |
我自己在DS 上打开forward managment 看到的问题:
解决方法:
在/opt/splunk/etc/deployment-apps/下面建立deploymentserver/local/serverclass.conf
并且吧/opt/splunk/etc/system/local 下面的serverclass.conf 给remove,重启一下:
splunk reload deploy-server
可以看到已经没有报错了:
终于发现上面app 的内容就是/opt/splunk/etc/deployment-apps 下面的文件夹的名字。
3: 编辑serverclass.conf:
[[email protected] local]# cat /opt/splunk/etc/deployment-apps/deploymentserver/local/serverclass.conf
[global]
stateOnClient = enabled
blacklist.0=*
[serverClass:xinxin]
restartSplunkd = true
whitelist.0=*
[serverClass:xinxin:app:Rong]
stateOnClient = enabled
[[email protected] local]#
下面通过图形化进行添加的话,会在/opt/splunk/etc/system/local 下面自动生成serverclass.conf 文件:
4: create a new server class based on "forwarder management":
发现用图形界面创建很方便:https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Useforwardermanagement
5:看文档发现servercalss.conf 文件默认是在/opt/splunk/etc/system/local 下面的:
Create server classes - Splunk Documentationhttps://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/DefinedeploymentclassesCreate server classes - Splunk Documentation
When you use forwarder management to create a new server class, it saves the server class definition in a copy of serverclass.conf under $SPLUNK_HOME/etc/system/local. If, instead of using forwarder management, you decide to directly edit serverclass.conf, it is recommended that you create the serverclass.conf file in that same directory, $SPLUNK_HOME/etc/system/local
所以,这个就可以解释为什么serverclass.conf 文件的配置没有生效啦,因为位置不对。
6: 下面开始添加client:
在安装了universal forwarder 的机器上: 其实如果是docker 的话:
docker run --network skynet --name uf1 --hostname uf1 -e "SPLUNK_PASSWORD=sheng2020" -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_STANDALONE_URL=so1" -it splunk/universalforwarder:latest
上面的命令就可以安装一个linux 的forwarder, 参考:https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Extendedexampledeployseveralstandardforwarders
可以在/opt/splunk/etc/system/local 下面编辑 (就是上面刚建好的uf1 server)
/opt/splunk/etc/system/local# cat deploymentclient.conf
[deployment-client]
disabled = false
phoneHomeIntervalInSecs = 60
[target-broker:deploymentServer]
targetUri = 172.18.0.4:8089
然后重启一下这个forwarder sever (deployment client), 就可以在deployment server 上面看到如下:
7: 下面开始配置不同app 收集不同的client server 到对应的 indexer:
1. Create $SPLUNK_HOME/etc/deployment-apps/xinxin/default/outputs.conf with the following settings:
[[email protected] default]# cat outputs.conf
[tcpout]
defaultGroup = uf1_indexers
[tcpout:dr_indexers]
server = 172.18.0.3:9997
2. Create $SPLUNK_HOME/etc/deployment-apps/Rong/default/outputs.conf with the following settings:
[[email protected] default]# cat outputs.conf
[tcpout]
defaultGroup = fd01_indexers
[tcpout:fd01_indexers]
server = 172.18.0.5:9997
8: 开始启动 reload:
splunk reload deploy-server
9: 结果到search 页面查找,还是没有找到fd01 和uf1, 查找一下forwarder server
注意: 要到forwarder client 机器上查找:
[[email protected] splunkforwarder]# splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
172.18.0.5:9997
so1:9997
[[email protected] splunkforwarder]#
注意,上面 app client 可以查找到uf1 和fd01 两个client, 是因为设置的是8089端口,所以可以连上来,这次是9997端口.
[root@uf1 splunkforwarder]# splunk add forward-server 172.18.0.4:9997
Added forwarding to: 172.18.0.4:9997.
然后重启这个fowarder client, 再list forwarde-sever:
[[email protected] splunkforwarder]# splunk list forward-server
Active forwards:
172.18.0.4:9997
Configured but inactive forwards:
172.18.0.5:9997
so1:9997
[[email protected] splunkforwarder]#
10: 看一下查询结果:
可以看到uf1 已经被这个ds server可以查询到了:
11: 下面参考:https://docs.splunk.com/Documentation/Forwarder/7.2.0/Forwarder/HowtoforwarddatatoSplunkEnterprise
新启动一个forward client , 然后在 forward client 上面执行: ./splunk set deploy-poll 172.18.0.4:8089
可以看到在/etc/splunkforward/etc/system/local/下面生成: deploymentclient.conf, 说明成功了
就在DS:deployment server 的页面上看到了:
虽然没有app 和client 加入到这个client 里面来:
12:参考文档:
How to forward data to Splunk Enterprise - Splunk Documentation
环境搭建之Mac下安装SplunkEnterprise日志服务程序/SplunkForward通用转发器部署客户端 - 程序猿的漫漫长路
Extended example: Deploy configurations to several forwarders - Splunk DocumentationExtended example: Deploy configurations to several forwarders - Splunk Documentation
https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/ExtendedexampledeployseveralstandardforwardersHow to forward data to Splunk Enterprise - Splunk Documentation