Install Docker Desktop for MacOS¶
Refer to the “MacOS” section in your Docker documentation to set up your Docker Desktop for MacOS.
Perform your initial SC4S configuration¶
You can run SC4S using either docker-compose
or the docker run
command in the command line. This topic focuses solely on using docker-compose
.
-
Create a directory on the server for local configurations and disk buffering. Make it available to all administrators, for example:
/opt/sc4s/
. -
Create a
docker-compose.yml
file in your new directory, based on the provided template. By default, the latest container is automatically downloaded at each restart. As a best practice, consult this topic at the time of any new upgrade to check for any changes in the latest template.version: "3.7" services: sc4s: deploy: replicas: 2 restart_policy: condition: on-failure image: ghcr.io/splunk/splunk-connect-for-syslog/container3:latest ports: - target: 514 published: 514 protocol: tcp - target: 514 published: 514 protocol: udp - target: 601 published: 601 protocol: tcp - target: 6514 published: 6514 protocol: tcp env_file: - /opt/sc4s/env_file volumes: - /opt/sc4s/local:/etc/syslog-ng/conf.d/local:z - splunk-sc4s-var:/var/lib/syslog-ng # Uncomment the following line if local disk archiving is desired # - /opt/sc4s/archive:/var/lib/syslog-ng/archive:z # Map location of TLS custom TLS # - /opt/sc4s/tls:/etc/syslog-ng/tls:z volumes: splunk-sc4s-var:
- In Docker Desktop, set the
/opt/sc4s
folder as shared. -
Create a local volume that will contain the disk buffer files in the event of a communication failure to the upstream destinations. This volume also keeps track of the state of syslog-ng between restarts, and in particular the state of the disk buffer. Be sure to account for disk space requirements for the Docker volume. This volume is located in
/var/lib/docker/volumes/
and could grow significantly if there is an extended outage to the SC4S destinations. See SC4S disk buffer configuration for more information.sudo docker volume create splunk-sc4s-var
-
Create the subdirectories:
/opt/sc4s/local
,/opt/sc4s/archive
, and/opt/sc4s/tls
. Make sure these directories match the volume mounts specified indocker-compose.yml
. -
Create a file named
/opt/sc4s/env_file
.
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://your.splunk.instance:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
#Uncomment the following line if using untrusted SSL certificates
#SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no
/opt/sc4s/env_file
:
-
Update
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL
andSC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN
to reflect the values for your environment. Do not configure HEC Acknowledgement when you deploy the HEC token on the Splunk side; syslog-ng http destination does not support this feature. -
The default number of
SC4S_DEST_SPLUNK_HEC_<ID>_WORKERS
is 10. Consult the community if you feel the number of workers (threads) should deviate from this. -
Splunk Connect for Syslog defaults to secure configurations. If you are not using trusted SSL certificates, be sure to uncomment the last line.
Create unique dedicated listening ports¶
Each listening port on the container must be mapped to a listening port on the host. Make sure to update the docker-compose.yml
file when adding listening ports for new data sources.
To configure unique ports:
- Modify the
/opt/sc4s/env_file
file to include the port-specific environment variables. See the Sources documentation to identify the specific environment variables that are mapped to each data source vendor and technology. - Modify the Docker Compose file that starts the SC4S container so that it reflects the additional listening ports you have created. You can amend the Docker Compose file with additional
target
stanzas in theports
section of the file (after the default ports). For example, the following additionaltarget
andpublished
lines provide for 21 additional technology-specific UDP and TCP ports:
- target: 5000-5020
published: 5000-5020
protocol: tcp
- target: 5000-5020
published: 5000-5020
protocol: udp
- Restart SC4S using the command in the “Start/Restart SC4S” section in this topic.
For more information about configuration refer to Docker and Podman basic configurations and detailed configuration.
Start/Restart SC4S¶
From the catalog where you created compose file, execute:
docker-compose up
docker-compose
with -f
flag pointing to the compose file
docker-compose up -f /path/to/compose/file/docker-compose.yml
Stop SC4S¶
Execute:
docker-compose down
docker-compose down -f /path/to/compose/file/docker-compose.yml
Verify Proper Operation¶
SC4S performs automatic checks to ensure that the container starts properly and that the syntax of the underlying syslog-ng configuration is correct. Once these checks are complete, verify that SC4S is properly communicating with Splunk:
index=* sourcetype=sc4s:events "starting up"
When the startup process proceeds normally, you should see an event similar to the following:
syslog-ng starting up; version='3.28.1'
If you do not see this, try the following steps to troubleshoot:
- Check to see that the URL, token, and TLS/SSL settings are correct, and that the appropriate firewall ports are open (8088 or 443).
- Check to see that the proper indexes are created in Splunk, and that the token has access to them.
- Ensure the proper operation of the load balancer if used.
- Check the SC4S startup process running:
docker logs <container_name>
You should see events similar to those below in the output:
syslog-ng checking config
sc4s version=v1.36.0
starting syslog-ng
If you do not see the output above, proceed to the “Troubleshoot sc4s server” and “Troubleshoot resources” sections for more detailed information.