andrew207 Posted August 19, 2022 Author Share Posted August 19, 2022 Hey @tknx First configure Splunk to listen for TCP/UDP 514, make sure you set an index for the data. https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports#Add_a_network_input_using_Splunk_Web Then add a port mapping in your docker config for the Splunk container. In the edit screen for the container, click "add a port, path, variable, label, or device" and fill it out appropriately, perhaps like the image I've attached. In my example I've mapped the container's port 514 to the local br0 port 10514. In unRAID's syslog settings (settings --> syslog) under "remote syslog server", type in the IP of your unRAID server, and set the port to the mapped port, in our example 10514. Then the data should be available in Splunk under the index you specified when creating the listener. Hope this helps Quote Link to comment
tknx Posted August 22, 2022 Share Posted August 22, 2022 Hi Andrew, Here is an example pics of my config for the container and my config on the Splunk file. Nothing coming through on either UDP or TCP when I try either. Quote Link to comment
andrew207 Posted August 22, 2022 Author Share Posted August 22, 2022 That should work. There are two things you can check: 1. Make sure the port is actually open/listening. Just open a terminal to the docker container and check netstat to make sure port 514 is open and listening. I just added 514 to my server, you can see it listed below as being open. /opt/splunk # netstat -anp | grep splunkd | grep 'LISTEN\|udp' tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 71/splunkd tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 71/splunkd tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 71/splunkd tcp 0 0 0.0.0.0:8088 0.0.0.0:* LISTEN 71/splunkd udp 0 0 0.0.0.0:514 0.0.0.0:* 71/splunkd /opt/splunk # 2. Send a test syslog message. I'm sending to 10514 because that's what I mapped the port to as described in my previous post. You should send to your custom IP:514, because that's what you have configured. Something like: ~ >>> nc -v -u 192.168.1.121 10514 hi, i'm sendign some data to my syslog listener wow! ^CExiting. ~ took 10s >>> Check if it lands in the index. It should, mine did just fine. If this works for you then the problem lies elsewhere, perhaps ask in a broader unRAID support section about remote syslogging. Quote Link to comment
tknx Posted August 23, 2022 Share Posted August 23, 2022 OK, test messages worked. So it is most likely Unraid that isn't sending remote logs. Quote Link to comment
napalmyourmom Posted December 16, 2022 Share Posted December 16, 2022 (edited) When I modify the container and it gets rebuilt, I lose all of the reports and dashboards I have created. The password also gets reset to default and I have to reconfigure the trial license. Is there any way to retain all of these things on rebuild so I don't have to keep reconfiguring and storing copies of my report/dashboard SPL elsewhere? EDIT: To clarify - my indexes, datasets, and installed apps are all preserved. So some of my configurations are persistent, just not (most importantly) reports and dashboards. Perhaps my docker configuration is wrong, but it seems pretty straight forward... Edited December 16, 2022 by napalmyourmom word Quote Link to comment
napalmyourmom Posted December 16, 2022 Share Posted December 16, 2022 (edited) 3 hours ago, napalmyourmom said: When I modify the container and it gets rebuilt, I lose all of the reports and dashboards I have created. The password also gets reset to default and I have to reconfigure the trial license. Is there any way to retain all of these things on rebuild so I don't have to keep reconfiguring and storing copies of my report/dashboard SPL elsewhere? EDIT: To clarify - my indexes, datasets, and installed apps are all preserved. So some of my configurations are persistent, just not (most importantly) reports and dashboards. Perhaps my docker configuration is wrong, but it seems pretty straight forward... Figured this out myself. My reports were saved with permissions as user and user data is not persisted. I had to add the following to a path variable to persist its data: /opt/splunk/etc/users As for saving the admin password, license, and free license configuration, I had to add the following paths: /opt/splunk/etc/licenses /opt/splunk/etc/system Now when I recreate the container I do not have to reset the password or reapply the free license. Edited December 16, 2022 by napalmyourmom Quote Link to comment
andrew207 Posted December 19, 2022 Author Share Posted December 19, 2022 thanks @napalmyourmom, I'll add persisting license and user folders as options in the unraid GUI in a future update (should be 9.0.2 shortly after xmas). Quote Link to comment
hamish_18 Posted January 30 Share Posted January 30 Greetings. I am trying to troubleshoot an issue, but the docker seems to be missing a required package and so I cannot run splunk diag. Here is the error: libgcc_s.so.1 must be installed for pthread_cancel to work It appears I have no means of getting/installing this from the console. Any assistance would be greatly appreciated. Thanks! Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.