-
Notifications
You must be signed in to change notification settings - Fork 8
/
gosplunk.sh
66 lines (53 loc) · 3.37 KB
/
gosplunk.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/bin/sh
# Enable arbitrary users in OpenShift
if ! whoami &> /dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
fi
fi
exec "$@"
# Set timezone
cp /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ >/etc/timezone
# If Splunk is not installed, install it
FILE=`echo $DOWNLOAD_TARGET | sed -r 's/^.+(splunk-[^-]+).+$/\1/g'`
if test -f "$FILE.tar.gz"; then
echo "$FILE.tar.gz exists, no need to download again."
if test -f "$SPLUNK_HOME/bin/splunk"; then
echo "Splunk appears installed, no need to reinstall."
else
echo "Installing Splunk..."
# Install Splunk and set PATH
tar xzf $SPLUNK_HOME/$FILE.tar.gz -C /opt
PATH=$PATH:~$SPLUNK_HOME/bin
echo "Applying Docker optimisations..."
# Fix "unusable filesystem" when Splunkd tries to create files
# Set Splunk DB to volume directory
printf "\nOPTIMISTIC_ABOUT_FILE_LOCKING = 1\nSPLUNK_DB=/splunkdata" >> $SPLUNK_HOME/etc/splunk-launch.conf
# Move KVStore to non-persistent directory due to permissions issues (key file permissions never set correctly when in volume)
printf "\n[kvstore]\ndbPath = $SPLUNK_HOME/var/lib/splunk/kvstore" >> $SPLUNK_HOME/etc/system/local/server.conf
# Set admin password
printf '[user_info]\nUSERNAME = admin\nPASSWORD = %s' "$ADMIN_PASSWORD" > $SPLUNK_HOME/etc/system/local/user-seed.conf
# Reduce/remove log noise:
# splunkd hitting its own web interface
# Splunk changing target indexer successfully
# deploymentserver phonehome successfully
# Reduce historical log files from 5 to 1
# TODO: remove UI access logs as kube-probe health checks hit them constantly and it's useless noise
printf '[splunkd]\ncategory.AutoLoadBalancedConnectionStrategy=WARN\ncategory.HttpPubSubConnection=WARN\ncategory.UiHttpListener=ERROR\ncategory.TcpOutputProc=WARN\nappender.license_usage_maxBackupIndex=1\nappender.license_usage_summary.maxBackupIndex=1\nappender.metrics.maxBackupIndex=1\nappender.audittrail.maxBackupIndex=1\nappender.accesslog.maxBackupIndex=1\nappender.uiaccess.maxBackupIndex=1\nappender.scheduler.maxBackupIndex=1\nappender.remotesearches.maxBackupIndex=1\nappender.idata_ResourceUsage.maxBackupIndex=1\nappender.conf.maxBackupIndex=1\nappender.idata_DiskObjects.maxBackupIndex=1\nappender.idata_KVStore.maxBackupIndex=1\nappender.kvstore_appender.maxBackupIndex=1\nappender.idata_HttpEventCollector.maxBackupIndex=1\nappender.healthreporter.maxBackupIndex=1\nappender.watchdog_appender.maxBackupIndex=1' > $SPLUNK_HOME/etc/log-local.cfg
## Disable hadoop archiver scheduled search
mkdir $SPLUNK_HOME/etc/apps/splunk_archiver/local
printf '[Bucket Copy Trigger]\ndisabled = 1' > $SPLUNK_HOME/etc/apps/splunk_archiver/local/savedsearches.conf
## Disable journald input as it's not relevant to our OS
mkdir $SPLUNK_HOME/etc/apps/journald_input/local
printf '[journald]\ndisabled = 1' > $SPLUNK_HOME/etc/apps/journald_input/local/inputs.conf
printf '[install]\nstate = disabled' > $SPLUNK_HOME/etc/apps/journald_input/local/app.conf
fi
else
echo "$FILE.tar.gz does not exist, was it correctly downloaded in the base image? Killing container..."
exit 1
fi
echo "Starting Splunkd..."
# Run Splunk
/opt/splunk/bin/splunk start $SPLUNK_CLI_ARGS
# Keep container running
tail -f $SPLUNK_HOME/var/log/splunk/splunkd.log