From 4f519274d3658bc436d6ad8b770c2de0d1af5a84 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sun, 14 Jun 2020 10:37:00 -0400 Subject: [PATCH 1/5] Update entrypoint.sh --- package/sbin/entrypoint.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index 435d2ff..d554d3b 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -44,6 +44,15 @@ for file in /opt/syslog-ng/etc/conf.d/local/context/*.example ; do cp --verbose cp --verbose -R /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/local/config/ mkdir -p /opt/syslog-ng/var/log +#Test HEC Connectivity +HEC=$(echo '{{- getenv "SPLUNK_HEC_URL" | strings.ReplaceAll "/services/collector" "" | strings.ReplaceAll "/event" "" | regexp.ReplaceLiteral "[, ]+" "/services/collector/event " }}/services/collector/event' | gomplate | cut -d' ' -f 1) +INDEX=$(cat /opt/syslog-ng/etc/conf.d/local/config/splunk_index.csv | grep sc4s_events | cut -d, -f 3) +if ! curl -k "${HEC}" -H "Authorization: Splunk ${SPLUNK_HEC_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "SC4S:PROBE", "index":"${index}"}' +then + echo SC4S_ENV_CHECK_HEC: Splunk unreachable startup will continue to prevent data loss if this is a transient failure +fi + +#Setup SNMPD /opt/net-snmp/sbin/snmptrapd -Lf /opt/syslog-ng/var/log/snmptrapd.log echo syslog-ng checking config @@ -59,7 +68,7 @@ pid="$!" sleep 5 if ! ps -p $pid > /dev/null then - echo "syslog-ng failed to start $pid is not running" + echo "SC4S_ENV_CHECK_SYSLOG-NG failed to start $pid is not running" /opt/syslog-ng/sbin/syslog-ng -s if [ "${SC4S_DEBUG_CONTAINER}" == "yes" ] then From 300a704bd729b650acbed44254eb3ab289617ee9 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sun, 14 Jun 2020 10:42:52 -0400 Subject: [PATCH 2/5] Update entrypoint.sh --- package/sbin/entrypoint.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index d554d3b..5abcde2 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -50,6 +50,9 @@ INDEX=$(cat /opt/syslog-ng/etc/conf.d/local/config/splunk_index.csv | grep sc4s if ! curl -k "${HEC}" -H "Authorization: Splunk ${SPLUNK_HEC_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "SC4S:PROBE", "index":"${index}"}' then echo SC4S_ENV_CHECK_HEC: Splunk unreachable startup will continue to prevent data loss if this is a transient failure +else + echo SC4S_ENV_CHECK_HEC: Splunk connection succesfull + fi #Setup SNMPD From 2882afebd6aa4c15e246a958b1c6a572175279ef Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sun, 14 Jun 2020 11:56:24 -0400 Subject: [PATCH 3/5] Update entrypoint.sh --- package/sbin/entrypoint.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index 5abcde2..bb7f5a3 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -46,13 +46,13 @@ mkdir -p /opt/syslog-ng/var/log #Test HEC Connectivity HEC=$(echo '{{- getenv "SPLUNK_HEC_URL" | strings.ReplaceAll "/services/collector" "" | strings.ReplaceAll "/event" "" | regexp.ReplaceLiteral "[, ]+" "/services/collector/event " }}/services/collector/event' | gomplate | cut -d' ' -f 1) -INDEX=$(cat /opt/syslog-ng/etc/conf.d/local/config/splunk_index.csv | grep sc4s_events | cut -d, -f 3) -if ! curl -k "${HEC}" -H "Authorization: Splunk ${SPLUNK_HEC_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "SC4S:PROBE", "index":"${index}"}' +index=$(cat /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv | grep sc4s_events | cut -d, -f 3) +if ! curl -k "${HEC}?/index=${index}" -H "Authorization: Splunk ${SPLUNK_HEC_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "SC4S:PROBE"}' then echo SC4S_ENV_CHECK_HEC: Splunk unreachable startup will continue to prevent data loss if this is a transient failure else - echo SC4S_ENV_CHECK_HEC: Splunk connection succesfull - + echo SC4S_ENV_CHECK_INDEX: Splunk connection succesfull checking indexes + cat /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv | grep -v sc4s_metrics | cut -d, -f 3 | sort -u | while read index ; do export index; echo -e "\nSC4S_ENV_CHECK_INDEX: Checking $index" $(curl -s -S -k "${HEC}?index=${index}" -H "Authorization: Splunk ${SPLUNK_HEC_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "SC4S:PROBE"}') ; done fi #Setup SNMPD From ce5110aa963cdcc8aae2e9f2f9992af8530705ea Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sun, 14 Jun 2020 18:28:36 -0400 Subject: [PATCH 4/5] Updates --- package/sbin/entrypoint.sh | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index 7d22026..13caeb6 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -52,7 +52,7 @@ for file in /opt/syslog-ng/etc/conf.d/local/context/*.example ; do cp --verbose touch /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv sed -i 's/^#//' /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv # Add new entries -awk '{print $0}' /opt/syslog-ng/etc/context_templates/splunk_index.csv /opt/syslog-ng/etc/context_templates/splunk_index.csv.example | sort -b -t ',' -k1,2 -u +awk '{print $0}' /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv.example | sort -b -t ',' -k1,2 -u #We don't need this file anylonger rm -f /opt/syslog-ng/etc/context_templates/splunk_index.csv.example @@ -60,16 +60,18 @@ cp --verbose -R /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/loca mkdir -p /opt/syslog-ng/var/log #Test HEC Connectivity -HEC=$(echo '{{- getenv "SPLUNK_HEC_URL" | strings.ReplaceAll "/services/collector" "" | strings.ReplaceAll "/event" "" | regexp.ReplaceLiteral "[, ]+" "/services/collector/event " }}/services/collector/event' | gomplate | cut -d' ' -f 1) -index=$(cat /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv | grep sc4s_events | cut -d, -f 3) -if ! curl -k "${HEC}?/index=${index}" -H "Authorization: Splunk ${SPLUNK_HEC_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "SC4S:PROBE"}' +if [ "$SC4S_DEST_SPLUNK_HEC_GLOBAL" == "no" ] then - echo SC4S_ENV_CHECK_HEC: Splunk unreachable startup will continue to prevent data loss if this is a transient failure -else - echo SC4S_ENV_CHECK_INDEX: Splunk connection succesfull checking indexes - cat /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv | grep -v sc4s_metrics | cut -d, -f 3 | sort -u | while read index ; do export index; echo -e "\nSC4S_ENV_CHECK_INDEX: Checking $index" $(curl -s -S -k "${HEC}?index=${index}" -H "Authorization: Splunk ${SPLUNK_HEC_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "SC4S:PROBE"}') ; done + HEC=$(echo '{{- getenv "SPLUNK_HEC_URL" | strings.ReplaceAll "/services/collector" "" | strings.ReplaceAll "/event" "" | regexp.ReplaceLiteral "[, ]+" "/services/collector/event " }}/services/collector/event' | gomplate | cut -d' ' -f 1) + index=$(cat /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv | grep ',index,' | grep sc4s_events | cut -d, -f 3) + if ! curl -k "${HEC}?/index=${index}" -H "Authorization: Splunk ${SPLUNK_HEC_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "SC4S:PROBE"}' + then + echo SC4S_ENV_CHECK_HEC: Splunk unreachable startup will continue to prevent data loss if this is a transient failure + else + echo SC4S_ENV_CHECK_INDEX: Splunk connection succesfull checking indexes + cat /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv | grep -v sc4s_metrics | grep ',index,' | cut -d, -f 3 | sort -u | while read index ; do export index; echo -e "\nSC4S_ENV_CHECK_INDEX: Checking $index" $(curl -s -S -k "${HEC}?index=${index}" -H "Authorization: Splunk ${SPLUNK_HEC_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "SC4S:PROBE"}') ; done + fi fi - #Setup SNMPD /opt/net-snmp/sbin/snmptrapd -Lf /opt/syslog-ng/var/log/snmptrapd.log From a443b545945ba5c96c1350eb7c74af426ade04f8 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Mon, 15 Jun 2020 07:27:27 -0400 Subject: [PATCH 5/5] Update entrypoint.sh --- package/sbin/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index 13caeb6..0faf2db 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -60,7 +60,7 @@ cp --verbose -R /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/loca mkdir -p /opt/syslog-ng/var/log #Test HEC Connectivity -if [ "$SC4S_DEST_SPLUNK_HEC_GLOBAL" == "no" ] +if [ "$SC4S_DEST_SPLUNK_HEC_GLOBAL" != "no" ] then HEC=$(echo '{{- getenv "SPLUNK_HEC_URL" | strings.ReplaceAll "/services/collector" "" | strings.ReplaceAll "/event" "" | regexp.ReplaceLiteral "[, ]+" "/services/collector/event " }}/services/collector/event' | gomplate | cut -d' ' -f 1) index=$(cat /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv | grep ',index,' | grep sc4s_events | cut -d, -f 3)