Splunk Search

Can you help me figure out what I'm doing wrong with my Base Collectd Configuration for a lab?

daniel333
Builder

All,

I am not able to get collectD metrics to appear on my Splunk stand alone instance.

I am setting up CollectD in my lab as recommended by our support engineer to replace Splunk for Nix eventually in prod. COMPLETELY new to this. I stole this config from the Splunk configuring collectd guide:

http://docs.splunk.com/Documentation/Splunk/7.2.0/Metrics/GetMetricsInCollectd#Configure_collectd

I have one box with everything on it including HEC.

LoadPlugin write_http
<Plugin write_http>
    <Node "node1">
        URL "https://localhost:8088/services/collector/raw"
        Header "Authorization: Splunk a31e3e37-4324-4219-8685-ce647c5be74d"
        Format "JSON"
        VerifyPeer false
        VerifyHost false
        Metrics true
        StoreRates true
    </Node>
</Plugin>

LoadPlugin cpu
<Plugin cpu>
  ReportByCpu true
</Plugin>

LoadPlugin interface

LoadPlugin syslog

LoadPlugin load
<Plugin load>
    ReportRelative true
</Plugin>

<Plugin logfile>
    LogLevel info
    File "/var/log/collectd.log"
    Timestamp true
    PrintSeverity false
</Plugin>

Include "/etc/collectd.d"

I don't think it's my HEC configuration as I can use this bash script I found to post collectD metrics to my metrics index without issue.

curl -k https://localhost:8088/services/collector/raw?sourcetype=collectd_http   \
-H "Authorization: Splunk a31e3e37-4324-4219-8685-ce647c5be74d"                                      \
-d '[{"values":[164.9196798931339196],"dstypes":["derive"],"dsnames":["value"],"time":1541268208.894,"interval":10.000,"host":"collectd","plugin":"protocols","plugin_instance":"IpExt","type":"protocol_counter","type_instance":"InOctets"}]'

So I think I must be doing something wrong with my collectd.conf file. But everything looks good as far as I know. Anything jumping out as a problem here to anyone?

EDIT - I just noticed that when I restart collectd, I get this message:

[root@splunkes administrator]# systemctl status collectd
● collectd.service - Collectd statistics daemon
   Loaded: loaded (/usr/lib/systemd/system/collectd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2018-11-03 22:47:20 UTC; 2s ago
     Docs: man:collectd(1)
           man:collectd.conf(5)
 Main PID: 14295 (collectd)
   CGroup: /system.slice/collectd.service
           └─14295 /usr/sbin/collectd

Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
[root@splunkes administrator]# date
Sat Nov  3 22:47:29 UTC 2018
[root@splunkes administrator]#

philip_w
Explorer

same here....
Anyone knows what's the problem?

0 Karma

swissgato
New Member

same issue...

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...