A NodeJS based Splunk forwarder for MyGovBC-MSP user interfaces.
- Receive events on a given port from a variety of sources.
- Log events locally in a rotating log structure in the Gluster PV attached.
- Forwards it to HIBC Splunk server.
- Allow remote access to local logs via a simple REST lookup protected by username and password.
- Node.js 4.2.5 or later.
- Splunk Enterprise 6.3.0 or later, or Splunk Cloud.
- An HTTP Event Collector token from your Splunk Enterprise server.
First, update npm to the latest version by running:
sudo npm install npm -g
Then run:
npm start server
To test:
- curl -XPOST -H "Authorization: Splunk XXX" -H "Content-Type: application/json" -d '{"body": "xyz"}' localhost:5504/log
where XXX is the SERVICE_AUTH_TOKEN environment variable passed to the service.
Splunk Server version 3.2.1 or greater is required.
- Turn on HTTP Event Collector (HEC) by enabling its endpoint as it is not enabled by default.
- Generate an HEC token.
- Configure the HEC token in the configuration environment variable of the Splunk Forwarder.
For more information, pleast consult the Event Collector component of Splunk.
All configuration is done via a user's shell environment variable and read in NodeJS via process.env.
These are:
| Environment Variable | Description |
|---|---|
| SERVICE_IP (string) | IP address of where the service runs, defaults to 'localhost' |
| SERVICE_PORT (number) | port for the service, Default: 8080 |
| SERVICE_USE_AUTH (boolean) | Splunk Forwarder uses a token to authorize connection from a service |
| SERVICE_AUTH_TOKEN (string) | security token used by services to connect to Splunk Forwarder |
| SPLUNK_AUTH_TOKEN (string) | security token used by the remote Splunk Server (generated by the Splunk HEC) |
| FILE_LOG_LEVEL (string) | log level for local log file, defaults to 'info' |
| LOG_DIR_NAME (string) | Directory path to store local log files - typically local PV mount point, ie. /var/logs |
| USE_SPLUNK (boolean) | use a remote Splunk Server or just log locally (useful for testing) |
| SPLUNK_URL (string) | url of remote Splunk Server |
| RETRY_COUNT (number) | the number of times to retry the Splunk Server |
| ONLY_LOG_WHEN_SPLUNK_FAILS (boolean) | only write to local file system when there's an error sending to Splunk. Ignored if USE_SPLUNK is false |
| MONITOR_USERNAME (string) | username for the /monitor REST endpoint to view and download local logs |
| MONITOR_PASSWORD (string) | password for the /monitor REST endpoint to view and download local logs |
| CA_CERT (string) | The CA cert of the remote Splunk Server (or proxy to the remote Splunk Server) |
| MAX_FILES (number) | total number of log files to rotate over. Default: 10 |
| MAX_BYTE_SIZE_PER_FILE (number) | total number of each log file. Default: (1024 * 1024 * 75) = 75mb |
| APPEND_POD_NAME_TO_FILE (boolean) | Whether the pod name should be appended to the local log file name |
The max storage size used for the entire splunk-forwarder will be MAX_FILES * MAX_BYTES_PER_FILE. It's default storage size is 750mb.
A note on the two different AUTH tokens. The idea is to not expose the remote Splunk Server's authorization token to the service clients of the Splunk Forwarder. These use SERVICE_AUTH_TOKEN, while the Splunk Forwarder itself uses SPLUNK_AUTH_TOKEN generated by HEC.
To view and download local log files created by the Splunk Forwarder, go to URL of the route of the Splunk Forwarder followed by "/monitor". For example: https://gcpe-mygovbc-splunk-forwader-dev.pathfinder.gov.bc.ca/monitor This is often useful when the remote Splunk Service is unavailable.
The username and password should match the environment variables configured.
An application client wishing to use the Splunk-Forwarder, will make an HTTP POST request to the host/port that the Splunk Forwarder listens on. Typically, the following environment values are used in the client:
| Environment Variable | Description |
|---|---|
| LOGGER_HOST (string) | name of the Splunk Forwarder service. In OpenShift this is splunk-forwarder. Can be an IP address. |
| LOGGER_PORT (number) | port for the service, Default: 8080 |
| SPLUNK_AUTH_TOKEN (string) | security token used by clients to connect to Splunk Forwarder |
The client creates an http POST request. An example of a function that posts a message string in javascript:
function logSplunkError (message) {
var body = JSON.stringify({
message: message
})
var options = {
hostname: process.env.LOGGER_HOST,
port: process.env.LOGGER_PORT,
path: '/log',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': 'Splunk ' + process.env.SPLUNK_AUTH_TOKEN,
'Content-Length': Buffer.byteLength(body),
'logsource': process.env.HOSTNAME,
'timestamp': moment().format('DD-MMM-YYYY'),
'program': 'name of the client application',
'serverity': 'error'
}
};
var req = http.request(options, function (res) {
res.setEncoding('utf8');
res.on('data', function (chunk) {
console.log("Body chunk: " + JSON.stringify(chunk));
});
res.on('end', function () {
console.log('End of chunks');
});
});
req.on('error', function (e) {
console.error("error sending to splunk-forwarder: " + e.message);
});
// write data to request body
req.write(body);
req.end();
}
Notice that all POSTs are made to the path "/log" of the splunk-forwarder.
Also notice the format of the Authorization header as required by Splunk HEC.
See Deploy to OpenShift docs.