Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I encountering an Error on forwarding nginx container logs to Splunk forwarder?

eygtmbot
Engager
‎04-02-2018 06:03 PM

https://www.splunk.com/blog/2015/08/24/collecting-docker-logs-and-stats-with-splunk.html

With reference to this documentation, I'm trying to forward my container logs to Splunk forwarder listening on 514 port.

Forwarder Config
version: '2'

volumes:
  opt-splunk-etc:
  opt-splunk-var:

services:
  splunkuniversalforwarder:

    hostname: splunkuniversalforwarder
    image: splunk/universalforwarder:7.0.0
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes
      SPLUNK_FORWARD_SERVER: "hostname:9997"

    volumes:
      - opt-splunk-etc:/opt/splunk/etc
      - opt-splunk-var:/opt/splunk/var
    ports:
      - "514:1514/udp"
      - "8000:8000"
      - "9997:9997"
      - "8088:8088"

after starting the container I'm running 

docker exec -it splunk_forwarder_1 entrypoint.sh splunk add udp 1514 -sourcetype syslog

but its giving a faliur message says

  root@splunk-forwarder:/home/splunk/docker-forwarer# docker exec -it dockerforwarer_splunkuniversalforwarder_1 entrypoint.sh splunk add udp 1514 -sourcetype syslog
    Splunk username: admin
    Password:
    Failed to create. Configuration for port 1514 already exists.

Splunk forwarder listerning on 514 syslog port 

root@splunk-forwarder:/home/splunk/docker-forwarer# netstat -lnp | grep 514
udp6       0      0 :::514                  :::*                                87192/docker-proxy

Here is the NGINX server I'm trying to forward logs from 

nginx:
  image: nginx
  ports:
    - 80:80
    - 443:443
  volumes_from:
    - vdata
  restart: always
  log_driver: syslog
  log_opt:
    syslog-tag: nginxproxy_nginx
    syslog-address: udp://127.0.0.1:514

When I'm starting the NGINX container its stuk on conneting to the syslog-address: udp://127.0.0.1:514
can you please let us know what I'm doing worng ?

Thanks,

0 Karma
Reply

p_gurav
Champion
‎04-02-2018 08:54 PM

its 1514 or 514?

0 Karma
Reply

eygtmbot
Engager
‎04-03-2018 10:24 AM

514, that is the place which I'm trying to forward logs.

ports:
- "514:1514/udp"

0 Karma
Reply

eygtmbot
Engager
‎04-03-2018 10:25 AM

Any issue on the udp6 ???
# netstat -lnp | grep 514
udp6 0 0 :::514 :::* 87192/docker-proxy

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...