https://community.splunk.com/t5/Getting-Data-In/ERROR-ExecProcessor-message-from-quot-opt-splunk-etc-apps-ta/m-p/323153#M60190 <P>Hi All, </P> <P>We are using Docker <CODE>Swarm</CODE> on <CODE>Ubuntu 16.04</CODE><BR /> I'm starting my forwarder stack with below YML file. </P> <PRE><CODE>version: '3' services: splunk-forwarder: image: splunk/universalforwarder:7.0.0-monitor ports: - "514:1514/udp" deploy: replicas: 2 environment: SPLUNK_START_ARGS: --accept-license --answer-yes SPLUNK_FORWARD_SERVER: "server:9997" SPLUNK_USER: root volumes: - opt-splunk-etc:/opt/splunk/etc - opt-splunk-var:/opt/splunk/var volumes: opt-splunk-etc: opt-splunk-var: </CODE></PRE> <P>After running stack deploy </P> <PRE><CODE>sudo docker stack deploy -c stack-file.yml kiran </CODE></PRE> <P>All the containers are propagated with the following error, can you please take a look? </P> <PRE><CODE>04-07-2018 00:52:17.485 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/ta-dockerstats/bin/docker_service.sh" /opt/splunk/etc/apps/ta-dockerstats/bin/docker_service.sh: line 10: docker: command not found 04-07-2018 00:52:17.505 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/ta-dockerstats/bin/docker_events.sh" Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? 04-07-2018 00:52:17.506 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/ta-dockerstats/bin/docker_top.sh" Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? </CODE></PRE> <P>What I'm missing? I'm running this on an Ubuntu 16.4 machine. </P> <P>Is that a permission issue? </P> <P>I already added ENV <CODE>SPLUNK_USER: root</CODE></P> <P>I tried <CODE>sudo usermod -aG docker $USER</CODE> but that didn't help. </P> <P>Thanks in advance<BR /> Kiran</P> Sat, 07 Apr 2018 00:51:36 GMT eygtmbot 2018-04-07T00:51:36Z https://community.splunk.com/t5/Getting-Data-In/ERROR-ExecProcessor-message-from-quot-opt-splunk-etc-apps-ta/m-p/323153#M60190 <P>Hi All, </P> <P>We are using Docker <CODE>Swarm</CODE> on <CODE>Ubuntu 16.04</CODE><BR /> I'm starting my forwarder stack with below YML file. </P> <PRE><CODE>version: '3' services: splunk-forwarder: image: splunk/universalforwarder:7.0.0-monitor ports: - "514:1514/udp" deploy: replicas: 2 environment: SPLUNK_START_ARGS: --accept-license --answer-yes SPLUNK_FORWARD_SERVER: "server:9997" SPLUNK_USER: root volumes: - opt-splunk-etc:/opt/splunk/etc - opt-splunk-var:/opt/splunk/var volumes: opt-splunk-etc: opt-splunk-var: </CODE></PRE> <P>After running stack deploy </P> <PRE><CODE>sudo docker stack deploy -c stack-file.yml kiran </CODE></PRE> <P>All the containers are propagated with the following error, can you please take a look? </P> <PRE><CODE>04-07-2018 00:52:17.485 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/ta-dockerstats/bin/docker_service.sh" /opt/splunk/etc/apps/ta-dockerstats/bin/docker_service.sh: line 10: docker: command not found 04-07-2018 00:52:17.505 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/ta-dockerstats/bin/docker_events.sh" Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? 04-07-2018 00:52:17.506 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/ta-dockerstats/bin/docker_top.sh" Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? </CODE></PRE> <P>What I'm missing? I'm running this on an Ubuntu 16.4 machine. </P> <P>Is that a permission issue? </P> <P>I already added ENV <CODE>SPLUNK_USER: root</CODE></P> <P>I tried <CODE>sudo usermod -aG docker $USER</CODE> but that didn't help. </P> <P>Thanks in advance<BR /> Kiran</P> Sat, 07 Apr 2018 00:51:36 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-ExecProcessor-message-from-quot-opt-splunk-etc-apps-ta/m-p/323153#M60190 eygtmbot 2018-04-07T00:51:36Z https://community.splunk.com/t5/Getting-Data-In/ERROR-ExecProcessor-message-from-quot-opt-splunk-etc-apps-ta/m-p/323154#M60191 <P>You do not mount <CODE>/var/run/docker.sock</CODE> to the container from the host, also few more folders, you can find them in the docs <A href="https://hub.docker.com/r/splunk/universalforwarder/">https://hub.docker.com/r/splunk/universalforwarder/</A></P> <PRE><CODE> --volume /var/lib/docker/containers:/host/containers:ro \ --volume /var/log:/docker/log:ro \ --volume /var/run/docker.sock:/var/run/docker.sock:ro \ </CODE></PRE> <P>I see that this page also has a docker-compose example, but seems like this example is for general forwarder, not the forwarder with the scripts to collect docker metrics.</P> <HR /> <P>If you don't mind paid solutions, I would also recommend taking a look at our solution for Monitoring Docker <A href="https://www.outcoldsolutions.com">https://www.outcoldsolutions.com</A>. We have a free 30 days trial, instructions on how to install it <A href="https://www.outcoldsolutions.com/docs/monitoring-docker/">https://www.outcoldsolutions.com/docs/monitoring-docker/</A></P> Sun, 08 Apr 2018 15:39:54 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-ExecProcessor-message-from-quot-opt-splunk-etc-apps-ta/m-p/323154#M60191 outcoldman 2018-04-08T15:39:54Z https://community.splunk.com/t5/Getting-Data-In/ERROR-ExecProcessor-message-from-quot-opt-splunk-etc-apps-ta/m-p/323155#M60192 <P>I didn't try this but I made it work through the <CODE>Splunk</CODE> driver instead of <CODE>syslog</CODE>. May I know which one is the splunk recommendation. Splunk Forwarder or HTTP listener?</P> <P>Thanks,<BR /> Kiran</P> Tue, 17 Apr 2018 23:47:58 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-ExecProcessor-message-from-quot-opt-splunk-etc-apps-ta/m-p/323155#M60192 eygtmbot 2018-04-17T23:47:58Z https://community.splunk.com/t5/Getting-Data-In/ERROR-ExecProcessor-message-from-quot-opt-splunk-etc-apps-ta/m-p/323156#M60193 <P>Splunk Docker Driver is great for a start, but it has some limitations and its issues. As an example, it is not resistant to failures, in case of network failures, it will retry several times, but will give up at some point. <BR /> But if you will install Heavy Weight Forwarder as a side container on every host and use it as a target for your logs - you will reduce the possibility of network issues between the logging driver and Splunk. And Splunk itself knows how to buffer data before forwarding.<BR /> Using <CODE>syslog</CODE> in case if you can use Splunk Logging Driver does not make a lot of sense, because in case of Splunk logging driver you get more Splunk-friendly format, also can add pre-indexed fields from container labels. But there can be situations, where you want to use <CODE>syslog</CODE> - if you want to reassemble multiline messages into one.</P> <P>Saying that - still recommend to look on our solution <A href="https://www.outcoldsolutions.com">https://www.outcoldsolutions.com</A>, as we deal with all of these problems, and give you application monitoring on top of that. </P> Wed, 18 Apr 2018 14:59:10 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-ExecProcessor-message-from-quot-opt-splunk-etc-apps-ta/m-p/323156#M60193 outcoldman 2018-04-18T14:59:10Z