Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I encountering an Error on forwarding nginx container logs to Splunk forwarder?

eygtmbot
Engager
‎04-02-2018 06:03 PM

https://www.splunk.com/blog/2015/08/24/collecting-docker-logs-and-stats-with-splunk.html

With reference to this documentation, I'm trying to forward my container logs to Splunk forwarder listening on 514 port.

Forwarder Config
version: '2'

volumes:
  opt-splunk-etc:
  opt-splunk-var:

services:
  splunkuniversalforwarder:

    hostname: splunkuniversalforwarder
    image: splunk/universalforwarder:7.0.0
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes
      SPLUNK_FORWARD_SERVER: "hostname:9997"

    volumes:
      - opt-splunk-etc:/opt/splunk/etc
      - opt-splunk-var:/opt/splunk/var
    ports:
      - "514:1514/udp"
      - "8000:8000"
      - "9997:9997"
      - "8088:8088"

after starting the container I'm running 

docker exec -it splunk_forwarder_1 entrypoint.sh splunk add udp 1514 -sourcetype syslog

but its giving a faliur message says

  root@splunk-forwarder:/home/splunk/docker-forwarer# docker exec -it dockerforwarer_splunkuniversalforwarder_1 entrypoint.sh splunk add udp 1514 -sourcetype syslog
    Splunk username: admin
    Password:
    Failed to create. Configuration for port 1514 already exists.

Splunk forwarder listerning on 514 syslog port 

root@splunk-forwarder:/home/splunk/docker-forwarer# netstat -lnp | grep 514
udp6       0      0 :::514                  :::*                                87192/docker-proxy

Here is the NGINX server I'm trying to forward logs from 

nginx:
  image: nginx
  ports:
    - 80:80
    - 443:443
  volumes_from:
    - vdata
  restart: always
  log_driver: syslog
  log_opt:
    syslog-tag: nginxproxy_nginx
    syslog-address: udp://127.0.0.1:514

When I'm starting the NGINX container its stuk on conneting to the syslog-address: udp://127.0.0.1:514
can you please let us know what I'm doing worng ?

Thanks,

0 Karma
Reply

p_gurav
Champion
‎04-02-2018 08:54 PM

its 1514 or 514?

0 Karma
Reply

eygtmbot
Engager
‎04-03-2018 10:24 AM

514, that is the place which I'm trying to forward logs.

ports:
- "514:1514/udp"

0 Karma
Reply

eygtmbot
Engager
‎04-03-2018 10:25 AM

Any issue on the udp6 ???
# netstat -lnp | grep 514
udp6 0 0 :::514 :::* 87192/docker-proxy

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...