Getting Data In

Home Monitoring with Splunk on Docker

khandpi
New Member

Hey Guys

Very new to Splunk. I want to do the following

1) Install Splunk on Docker on my NAS (Have the basic one done I believe)

2) Forward my DD-WRT router logs to syslog-ng (?) or straight to splunk? I saw a addon, installed it but no data obviously to ingest.

3) Have other docker containers running on NAS - forward their logs to splunk?

Now

1) Do I need Splunk Forwarder docker setup as well?
2) How do I setup Router logs to be sent to forwarder and then to splunk?
3) Or do I install syslog-ng (any knowhow ? ) and then send logs to that and then how will splunk get it?
4) How do I get logs from other containers into splunk?

New to this and want to do a home setup with centralized monitoring on Splunk

Tags (2)
0 Karma

khandpi
New Member

Thanks.. I setup syslog-ng but nothing is coming to 514 port. I tried various commands to send a test message but syslog ain't recording it (can't see anything on disk). Need to figure that out first.

0 Karma

khandpi
New Member

Thanks @FrankVI

Can we use splunk to listen to 514 and send logs there instead of using rsyslog / syslog-ng? Something like http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Monitornetworkports

Or is there an advantage of using a separate syslog?

0 Karma

FrankVl
Ultra Champion

Yes you can do that as well. It is typically not recommended (as you will have data loss during splunk restarts for one reason), so I kept my setup closer to best practice. But if you want to keep things simple, and are not worried about reliability that much for home use, a network input can also work.

0 Karma

FrankVl
Ultra Champion

Not too familiar with Docker, but I do have a somewhat similar use case at home, so let me outline how I solved that. It doesn't use Docker, but hopefully that still provides some pointers that you can use to answer some of your questions.

I have a linux VM running in Virtual Box on an Intel NUC. On this VM I have a syslog daemon (rsyslog in my case, but syslog-ng would also work) as well as a single instance Splunk Enterprise installation.

My router (and some other devices) send their syslog to the rsyslog daemon on the VM, rsyslog writes it to disk and Splunk is configured with file monitor inputs to pick it up from there.

To take a stab at your questions:
1: No, I don't think so. I don't see what that would add (apart from the educational purpose of working with a separate forwarder instance).
2+3: I think a setup with a syslog daemon (potentially running in docker) receiving the data and writing to a location on disk that is accessible by your Splunk docker instance would be the way to go.
4: Have the processes running in those other containers write to a disk location that is shared with the Splunk Docker container, such that Splunk can monitor it.

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...