Few months ago I discovered that Splunk did not bother updating its forwarder to support FreeBSD 14. It’s a real PITA for many users, including myself. After asking around for support about that problem and seeing Splunk quietly ignoring the voice of its users, I’ve decided to try and run the Linux version on FreeBSD.
Executive summary: it works great on both FreeBSD 14 and 13, but with some limitations.
A user like me has few options:
- (re)check if you really need a local log forwarder (for everything that is not handled by syslog), if you don’t, just ditch the Splunk forwarder and tune syslogd to send logs to a Splunk indexer directly
- find an alternate solution that suits you: very hard is you have a full Splunk ecosystem or if, like me, you really are addicted to Splunk
- Run the Linux version on FreeBSD: needs some skills but works great so far
Obviously, I’m fine with the latest.
Limitations
You will run a proprietary Linux binary on a totally unsupported environment: you are on your own & it can break anytime, either because of FreeBSD, or because of Splunk.
You will run the Splunk forwarder inside a chroot environment: your log files will have to be available inside the chroot, or Splunk won’t be able to read them. Also, no ACL residing on your FreeBSD filesystem will be available to the Linux chroot, so you must not rely on ACLs to grant Splunk access to your log files. This latest statement is partially wrong. You can rely on FreeBSD ACLs but it might require some tweaks on the user/group side.
How to
Below you’ll find a quick&dirty step by step guide that worked for me. Not everything will be detailed or explained and YMMV.
First step is to install a Linux environment. You must activate the Linux compatibility feature. I’ve used both Debian and Devuan successfully. Here is what I’ve done for Devuan:
zfs create -o mountpoint=/compat/devuan01 sas/compat_devuan01
curl -OL https://git.devuan.org/devuan/debootstrap/raw/branch/suites/unstable/scripts/ceres
mv ceres /usr/local/share/debootstrap/scripts/daedalus
curl -OL https://files.devuan.org/devuan-archive-keyring.gpg
mv devuan-archive-keyring.gpg /usr/local/share/keyrings/
ln -s /usr/local/share/keyrings /usr/share/keyrings
debootstrap daedalus /compat/devuan01
This last step should fail, it seems that it’s to be expected. Following that same guide:
chroot /compat/devuan01 /bin/bash
dpkg --force-depends -i /var/cache/apt/archives/*.deb
echo "APT::Cache-Start 251658240;" > /etc/apt/apt.conf.d/00chroot
exit
Back on the host, add what you need to /etc/fstab
:
# Device Mountpoint FStype Options Dump Pass#
devfs /compat/devuan01/dev devfs rw,late 0 0
tmpfs /compat/devuan01/dev/shm tmpfs rw,late,size=1g,mode=1777 0 0
fdescfs /compat/devuan01/dev/fd fdescfs rw,late,linrdlnk 0 0
linprocfs /compat/devuan01/proc linprocfs rw,late 0 0
linsysfs /compat/devuan01/sys linsysfs rw,late 0 0
and mount all, then finish install:
mount -al
chroot /compat/devuan01 /bin/bash
apt update
apt install openrc
exit
Make your log files available inside the chroot:
mkdir -p /compat/debian_stable01/var/hostnamedlog
mount_nullfs /var/named/var/log /compat/debian_stable01/var/hostnamedlog
mkdir -p /compat/debian_stable01/var/hostlog
mount_nullfs /var/log /compat/debian_stable01/var/hostlog
Note: /var/named/var/log
and /var/log
are ZFS filesystems. You’ll have to make the nullfs mounts permanent by adding them in /etc/fstab
.
Now you can install the Splunk forwarder:
chroot /compat/devuan01 /bin/bash
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
useradd -m splunkfwd
export SPLUNK_HOME="/opt/splunkforwarder"
mkdir $SPLUNK_HOME
echo /opt/splunkforwarder/lib >/etc/ld.so.conf.d/splunk.conf
ldconfig
apt install curl
dpkg -i splunkforwarder_package_name.deb
/opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 0 -user splunkfwd
exit
Note: splunk enable boot-start -systemd-managed 0
activates the Splunk service as an old-school init.d
service. systemd
is not available in the context of a Linux chroot on FreeBSD.
Now from the host, grab your config files and copy them in your Linux chroot:
cp /opt/splunkforwarder/etc/system/local/{inputs,limits,outputs,props,transforms}.conf /compat/devuan01/opt/splunkforwarder/etc/system/local/
Then edit /compat/devuan01/opt/splunkforwarder/etc/system/local/inputs.conf
accordingly: in my case it means I must replace /var/log
by /var/hostlog
and /var/named/var/log
by /var/hostnamedlog
.
Go back to your Devuan and start Splunk:
chroot /compat/devuan01 /bin/bash
service splunk start
exit
Startup script
It’s best if your linux Splunk can start automatically when your FreeBSD boots. That can be achieved with a quick modification of the native Splunk rc script for FreeBSD (/etc/rc.d/splunk
). Here is what I’m using:
#!/bin/sh
# PROVIDE: splunkd
# REQUIRE: LOGIN
# KEYWORD: shutdown
# /etc/rc.d/splunk
# init script for Splunk.
# generated by 'splunk enable boot-start'.
. /etc/rc.subr
name=splunk
extra_commands="status"
rcvar=`set_rcvar`
eval "${rcvar}=\${${rcvar}:-'NO'}"
splunk_start()
{
chroot /compat/devuan01 "${splunk_home:-/opt/splunkforwarder}/bin/splunk" start --no-prompt --answer-yes "$@"
}
start_cmd=splunk_start
splunk_stop()
{
chroot /compat/devuan01 "${splunk_home:-/opt/splunkforwarder}/bin/splunk" stop "$@"
}
stop_cmd=splunk_stop
splunk_restart()
{
chroot /compat/devuan01 "${splunk_home:-/opt/splunkforwarder}/bin/splunk" restart "$@"
}
restart_cmd=splunk_restart
splunk_status()
{
chroot /compat/devuan01 "${splunk_home:-/opt/splunkforwarder}/bin/splunk" status "$@"
}
status_cmd=splunk_status
load_rc_config $name
run_rc_command "$@"