MongoDB and Splunk – Intelligent Monitoring

One of the biggest benefits of ElasticBox is that Boxes are stackable and reusable. This means that you can write a Box once, and then reuse it a lot of times. This can be particularly useful when you start modeling your low level infrastructure as ElasticBox Boxes.

Introducing Splunk
Splunk is a very popular data management application. According to their website, “Splunk is an application that indexes and makes searchable data from any app, server or network device in real time including logs, config files, messages, alerts, scripts and metrics”. One of the typical use cases of Splunk is to set up one (or multiple) instance(s) in their datacenter, and then have all your applications forward their logs to Splunk. Splunk will then receive the data, process it, and make it available for the user to search, analyze and create interesting visualizations.

The applications forward their logs to Splunk by using their universal forwarder. The universal forwarder is a service that’s installed on every server, and then configured to monitor log files, events or sys logs back to a specific Splunk instance.

This way your typical flow would be:

  • Deploy a VM
  • SSH into it, and install and configure Splunk
  • Deploy 10 VMs
  • SSH into each of them
  • Install and configure your software
  • Install the universal forwarder, figure out the IP of the Splunk instance you want to use, and then configure the forwarder to send the logs to that server.

Or you can just use ElasticBox and click deploy to get everything you need automatically deployed.

Boxes make everything better
While the traditional approach works, using ElasticBox’s Box model makes everything better. Instead of the process described before, you can just do the following instead:

  • Deploy a Splunk Box on any cloud
  • Extend any of your existing applications by creating a new Box that stacks it with the universal forwarder
  • Deploy your Box, and bind it to a Splunk instance. All the configurations will be taken care of by itself.

And you don’t just save time the first time. Once you have a Box, every time you’re going to launch a new instance of your Box, you will only need to click ‘Deploy’, instead of having to manually do it all, again and again.

How do I extend my Boxes?
Boxes can be extended by using Box variables. In this post, we’ll show you how to extend the default MongoDB box to leverage the power of Splunk.

Step 1 Create the Splunk Box

  1. Create a new Box, put “Splunk” as the Box name, and and pick “Linux Compute” as the service
  2. Add a port variable, “FORWARDER”, and put 9997 as the default value.  This is the port that will be used by the forwarders to send information.
  3. Add a port variable, “MANAGEMENT”, and put 8089 as the default value.  This is the port that will be used for management operations.
  4. Add a port variable, “WEBUI”, and put 9997 as the default value.  This is the port that will be used to browse the web ui.
  5. Add a text variable “INSTALLER”, to hold the URL of the installer and put the official download link as the default value.
  6. Add a text variable “USERNAME”, and put admin as the default value. This is the default user
  7. Add a password variable “PASSWORD”, and put changeme as the default value. This is the default password
  8. Add an install script, copy the contents from the script available here.
  9. Add a stop script, copy the contents from the script available here.

Step 2 Create the Universal Forwarder Box

  1. Create a new Box, put “Linux Universal Forwarder” as the Box name, and pick “Linux Compute” as the service.
  2. Add a text variable “INSTALLER”, to hold the URL of the installer and put the official download link as the default value.
  3. Add a text variable “MONITORING_PATH”,  to hold the path of the folder to monitor.; add /var/log/elasticbox/* as the value.
  4. Add a binding variable, “SPLUNK”, to hold the reference to the Splunk instance; select the Splunk Box as the value.
  5. Add an install script, copy the contents from the script available here.
  6. Add a configure script, copy the contents from the script available here.

Step 3  Create the extended Box

  1. Create a new Box. Name it “Splunkified MongoDB”, and select Linux Compute as the service
  2. Add a Box variable, “MONGODB”, and select the default MongoDB Server box
  3. Add a Box variable, “FORWARDER”, and select the Linux Universal Forwarder box we created in the previous step.
  4. Open the FORWARDER variable, and click on the edit button on the MONITORING_PATH variable. Update it with /var/log/mongodb/* as the value. (this will override the value for this particular Box)

Step 4  Deploy your instances

  1. Deploy an instance of the Splunk Box.
  2. Deploy an instance of the Splunkified MongoDB Box, and select the existing Splunk instance.

Because of this binding,  when you deploy this instance, ElasticBox will orchestrate the deployment, to make sure that the Splunkified MongoDB Box can access all the information of the Splunk instance in real time (e.g. IPs, port, username and password), by using ElasticBox’s binding feature (more info is available here).

And with this, you have a fully configured instance of MongoDB forwarding its logs to Splunk.  If you log into your newly launched Splunk instance,  you’ll be able to search for all the logs produced by MongoDB, with barely a line of code written!

Where can I get these Boxes?
Create an ElasticBox account and you can create your own Boxes, all the code you need is available here. Or just email me at ramiro@elasticbox.com, and I can share them with you via ElasticBox’s collaboration features!

Hacker News

Categories: ElasticBox, News
Tags: , ,