Implement a Container Runtime and SC4S¶
Step 1: Configure your OS to work with SC4S¶
Tune your receive buffer¶
You must tune the host Linux OS receive buffer size to match the SC4S default. This helps to avoid event dropping at the network level. The default receive buffer for SC4S is 16 MB for UDP traffic, which should be acceptable for most environments. To set the host OS kernel to match your buffer:
-
Edit
/etc/sysctl.conf
using the following whole-byte values corresponding to 16 MB:net.core.rmem_default = 17039360 net.core.rmem_max = 17039360
-
Apply to the kernel:
sysctl -p
-
To verify that the kernel does not drop packets, periodically monitor the buffer using the command
netstat -su | grep "receive errors"
. Failure to tune the kernel for high-volume traffic results in message loss, which can be unpredictable and difficult to detect. The default values for receive kernel buffers in most distributions is 2 MB, which may not be adequate for your configuration.
Configure IPv4 forwarding¶
In many distributions, for example CentOS provisioned in AWS, IPv4 forwarding is not enabled by default. IPv4 forwarding must be enabled for container networking.
- To check that IPv4 forwarding is enabled:
sudo sysctl net.ipv4.ip_forward
- To enable IPv4 forwarding:
sudo sysctl net.ipv4.ip_forward=1
- To ensure your changes persist upon reboot:
- Define sysctl settings through files in
/usr/lib/sysctl.d/
,/run/sysctl.d/
, and/etc/sysctl.d/
. - To override only specific settings, either add a file with a lexically later name in
/etc/sysctl.d/
and put following setting there or find this specific setting in one of the existing configuration files and set the value to1
.
net.ipv4.ip_forward=1
Step 2: Create your local directory structure¶
Create the following three directories:
/opt/sc4s/local
: This directory is used as a mount point for local overrides and configurations. This emptylocal
directory populates with defaults and examples at the first invocation of SC4S for local configurations and context overrides. Do not change the directory structure of these files, as SC4S depends on the directory layout to read the local configurations properly. If necessary, you can change or add individual files.- In the
local/config/
directory four subdirectories let you provide support for device types that are not provided out of the box in SC4S. To get started, see the example log path templatelp-example.conf.tmpl
and a filterexample.conf
in thelog_paths
andfilters
subdirectories. Copy these as templates for your own log path development. - In the
local/context
directory, change the “non-example” version of a file (e.g.splunk_metadata.csv
) to preserve the changes upon restart. /opt/sc4s/archive
is a mount point for local storage of syslog events if the optional mount is uncommented. The events are written in the syslog-ng EWMM format. See the Configuration topic for information about the directory structure that the archive uses./opt/sc4s/tls
is a mount point for custom TLS certificates if the optional mount is uncommented.
When you create these directories, make sure that they match the volume mounts specified in the sc4s.service unit file. Failure to do this will cause SC4S to abort at startup.
Step 3: Select a Container Runtime and SC4S Configuration¶
Container Runtime and Orchestration | Operating Systems |
---|---|
MicroK8s | Ubuntu with Microk8s |
Podman 1.7 & 1.9 + systemd | RHEL 8.x or CentOS 8.x (best option), Debian or Ubuntu 18.04LTS |
Docker CE 19 (and greater) + systemd | RHEL or CentOS >7.7 (best option), Debian or Ubuntu 18.04LTS |
Docker Desktop + Compose | MacOS |
Docker Desktop + Compose | RHEL or CentOS 8.1 & 8.2 (best option) |
Bring your own Environment | RHEL or CentOS 8.1 & 8.2 (best option) |
Offline Container Installation | RHEL 8.x or CentOS 8.x (best option), Debian or Ubuntu 18.04LTS |
Ansible+Docker Swarm | RHEL 8.x or CentOS 8.x (best option), Debian or Ubuntu 18.04LTS |
Ansible+Podman | RHEL 7.x/8.x or CentOS 7.x/8.x (best option), Debian or Ubuntu 20.10LTS(and higher) |
Ansible+Docker | RHEL 7.x/8.x or CentOS 7.x/8.x (best option), Debian or Ubuntu 18.04LTS(and higher) |