Skip to content

Instantly share code, notes, and snippets.

@anosulchik

anosulchik/101splunk-fowarder.config

Last active July 21, 2022 18:41
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save anosulchik/5ec5cb93d9084ed7c55c4d3186609930 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save anosulchik/5ec5cb93d9084ed7c55c4d3186609930 to your computer and use it in GitHub Desktop.
Download ZIP
Universal Language: Logs collection from AWS Elasticbeanstalk into Splunk: 101splunk-fowarder.config
Raw
101splunk-fowarder.config
container_commands:
01install-splunk:
command: /usr/local/bin/install-splunk.sh
02set-splunk-server-host:
command: /usr/local/bin/set_splunk_server_host.sh "$SPLUNK_SERVER_HOST"
03add-logs-to-splunk:
command: /usr/local/bin/add_logs_to_splunk.sh "$ENVIRONMENT_NAME"
cwd: /root
ignoreErrors: false
files:
"/usr/local/bin/install-splunk.sh":
content: |
#!/usr/bin/env bash
/usr/bin/wget "$SPLUNK_FORWARDER_RPM_DOWNLOAD_URL" -O /usr/src/splunk-universal-forwarder.rpm
/bin/rpm -i /usr/src/splunk-universal-forwarder.rpm
if [[ -z $(pgrep splunk) ]];then
/opt/splunkforwarder/bin/splunk start --answer-yes --no-prompt --accept-license
fi
mode: "000755"
"/opt/splunkforwarder/etc/system/local/outputs.conf":
content: |
[tcpout]
defaultGroup = index1
disabled = false
[tcpout:index1]
server = splunk_server_host:9997,
[tcpout-server://splunk_server_host:9997]
mode: "000644"
"/usr/local/bin/set_splunk_server_host.sh":
content: |
#!/usr/bin/env bash
splunk_server_host=$1
if [[ -z $splunk_server_host ]];then
echo "$0: Cannot find splunk server host."
exit 1
fi
outputs_file="/opt/splunkforwarder/etc/system/local/outputs.conf"
if [[ -e $outputs_file ]];then
chown splunk.splunk $outputs_file
cp -f $outputs_file $outputs_file.orig
sed -i "s/splunk_server_host/$splunk_server_host/g" $outputs_file
if [[ -n $(diff $outputs_file $outputs_file.orig) && -n $(pgrep splunk) ]];then
/opt/splunkforwarder/bin/splunk restart
fi
fi
mode: "000755"
"/usr/local/bin/add_logs_to_splunk.sh":
content: |
#!/usr/bin/env bash
application_name=$1
instance_name=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
splunk_logs_hostname="$application_name/$instance_name"
export HOME=/root
/opt/splunkforwarder/bin/splunk login -auth admin:changeme
/opt/splunkforwarder/bin/splunk add monitor "/var/log/tomcat8/catalina.out" -hostname "$splunk_logs_hostname" -sourcetype log4j
/opt/splunkforwarder/bin/splunk add monitor "/var/log/tomcat8/*.log" -hostname "$splunk_logs_hostname" -sourcetype tomcat
/opt/splunkforwarder/bin/splunk add monitor "/var/log/eb*.log" -hostname "$splunk_logs_hostname"
mode: "000755"
@hamx0r
Copy link
Copy Markdown

hamx0r commented Jul 8, 2017

Should && be &&?

@vrathore18
Copy link
Copy Markdown

vrathore18 commented Jul 24, 2018

How can we add prop.config file from here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment