Reputation: 4200
Configure enterprise Splunk in docker, so services can log to HTTP Event Collector over HTTP
I'm trying to set up and configure enterprise Splunk in docker for local testing. I want to be able to send logs to the HTTP event collector (HEC) via the docker logging provider for splunk - see here.
I can configure a HEC token by specifying SPLUNK_HEC_TOKEN as an environment variable when I run the splunk container (see docker-compose below), but I want to be able to call the HEC endpoint over HTTP (i.e. without SSL). If SSL is enabled in /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf, my test service (see docker-compose below) doesn't work - I get the following error:
Error response from daemon: failed to initialize logging driver: Options https://localhost:8088/services/collector/event/1.0: x509: cannot validate certificate for localhost because it doesn't contain any IP SANs.
My docker-compose file looks like this:
version: '3.5'
networks:
skynet:
services:
splunk:
image: splunk/splunk:latest
environment:
SPLUNK_START_ARGS: "--accept-license"
SPLUNK_PASSWORD: $SPLUNK_PASSWORD
SPLUNK_HEC_TOKEN: $SPLUNK_HEC_TOKEN
ports:
- 8000:8000
- 8088:8088
networks:
- skynet
test:
image: ryans/test-service
depends_on:
- splunk
environment:
WAIT_FOR_IT: http://localhost:8000
ports:
- 5001:5001
logging:
driver: splunk
options:
splunk-url: https://localhost:8088
splunk-token: $SPLUNK_HEC_TOKEN
splunk-insecureskipverify: 'true'
networks:
- skynet
Interestingly, if I comment out my test service and just run docker-compose with only the Splunk container; I can call the Splunk HEC URL over HTTPS using cURL e.g.
curl -k https://localhost:8088/services/collector -H 'Authorization: Splunk abcd1234' -d '{\"event\": \"Hello from event collector\"}'
In the Splunk web interface; if I go to settings > Data Inputs > HTTP Event Collector > Global Settings and explicitly disable Enable SSL; I can then send logs to the HEC endpoint over HTTP (using cURL), and I can bring up my test service without error (and logs start coming through to Splunk).
docker run -p 5001:5001 --log-driver=splunk --log-opt splunk-token=abcd1234 --log-opt splunk-url=http://localhost:8088 ryans/test-service
My question is how can I get the Enable SSL setting to default to disabled/off?
FYI., I tried overriding the splunk/splunk docker image to manually set enableSSL in /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf, but for some reason (when I exec into the running container) it's reverted back to enabled/on i.e. enableSSL = 1...
Dockerfile:
FROM splunk/splunk:latest
COPY ./inputs.conf /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
inputs.conf:
[http]
disabled = 0
enableSSL = 0
[http://splunk_hec_token]
disabled = 0
token = abcd1234
Upvotes: 1
Views: 2805
Answers (1)
Reputation: 988
Have you tried using a default.yml as detailed here?
https://splunk.github.io/docker-splunk/ADVANCED.html#usage
Example
splunk:
hec:
enable: True
ssl: false
port: 8088
# hec.token is used only for ingestion (receiving Splunk events)
token: <default_hec_token>
Upvotes: 2
Related Questions
- splunk-connect-for-kubernetes var/log/containers...log unreadable. It is excluded and would be examined next time
- Docker container monitor with splunk
- Forwarding logs from kubernetes to splunk
- Deploying Splunk Docker image fails to login
- How to forward application logs to Splunk from docker container?
- How to initialize Splunk HTTP Event Collector via Docker Compose and use it with splunk logging driver
- Where do docker logs go when splunk server is not reachable
- Docker splunk logging driver - handshake failure
- HTTP Event Collector: How to send logs to Splunk Cloud from command line using curl?
- What does it take to get the splunk logger running with docker-compose?