Getting Data In

Splunk windows docker image

Explorer

Dear Splunk team,

I am trying to pull docker windows image. I can find only the linux image in the docker store.

https://store.docker.com/images/splunk

Where I can find the equivalent windows docker image?

Thanks.

Communicator

@splunksundar Splunk does not provide Windows images (as far as I know).

I am original author of Splunk Docker images (ex-splunker). Our company (https://www.outcoldsolutions.com) provides tools for monitoring Docker, Kubernetes, OpenShift clusters in Splunk, and also consulting for topics related to Splunk + Docker/Kubernetes/OpenShift. I have researched a while ago images for Windows, but because there were no need in them, have not continued that. Feel free to send me an email denis@outcoldsolutions.com, possible I will be able to help you with getting these images for Windows.

0 Karma

Explorer

Thanks @outcoldman for the response.

One quick question?
Will Linux containers be able to talk & collect system metrics of Windows containers?

0 Karma

Communicator

@splunksundar sorry, I am a little bit confused by your question. You cannot run Linux containers on Windows Containers, and most of the software built for collecting metrics from Linux will not work for Windows, because of the OS differences. And we do not provide currently our containers for Windows, because of that. Depends on demands, probably we will at some point, but not right now.

I would suggest to just try to install Splunk UF directly on Windows Host, where you are going to run containers, with Splunk Add-on for Microsoft Windows (https://splunkbase.splunk.com/app/742/), considering that all processes (including the one from containers) will run on the same kernel (if you aren't going to run them as Hyper-V containers) - you should get all the information in Splunk.

0 Karma

Explorer

Thanks @outcoldman. Will try the approach you outlined.

0 Karma

Champion

Linux indexers and forwarders are capable of receiving logs forwarded by Windows machines already, so I can't imagine a scenario where that wouldn't be sufficient for you.

If you have a Windows container already, you should be able to install the Splunk Universal Forwarder inside it without issue. Splunk makes life easy when it comes to installing their product, as there are no external dependencies; they package all the libraries and executables needed in the installer you download from Splunk.

0 Karma

Splunk Employee
Splunk Employee

Installing the UF as part of your image should be pretty trivial. With the right pared down config, it could be pretty efficient as well, while retaining flexibility to expand capabilities, like run a script or sniff traffic.

I am thinking that WEF might be an option as well, if installing the UF turns out to be undesirable, or if you want to try and avoid any installs of packages in the container beyond whatever its already doing. Then you could look at running a single WEC with a UF installed.

Generally I'd say the UF is the better option

https://www.splunk.com/blog/2017/08/15/what-the-wef-choosing-windows-event-forwarding-or-splunk-univ...

https://answers.splunk.com/answers/526926/forwarding-logs-from-windows-event-collector.html

Otherwise, I's assume there will eventually be some azure flavor of integration that might be able to leverage other services/features.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!