Skip to content
You are reading Hyperledger Besu development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Updated on June 22, 2020

Configure Besu for Splunk Enterprise

A Splunk server can receive Besu logs and enable complex search, visualization, and analysis.

Splunk can aggregate multiple logs in one place and run complex queries without being connected to the machine running Besu to read the standard output.

Options for running Splunk and Besu are:

Splunk connect for Ethereum Docker Compose

To run a development Besu node and connect it to Splunk Enterprise, use the Splunk connect for Ethereum demonstration Docker Compose environment provided by Splunk.

Requirements

Important

A Splunk license is not required to use the Splunk connect for Ethereum demonstration.

Clone the Splunk connect for Ethereum repository

Open a terminal window and run:

git clone https://github.com/splunk/splunk-connect-for-ethereum.git
cd splunk-connect-for-ethereum

Start the demonstration environment

Follow the Splunk connect for Ethereum repository README.

Note

Splunk enterprise takes some time to start.

Run docker ps and wait for the STATUS of the 3 containers to be Up [number] seconds (healthy).

CONTAINER ID        IMAGE                        COMMAND                  CREATED             STATUS                    PORTS                                                                            NAMES
127600dd1173        splunkdlt/ethlogger:latest   "ethlogger"              53 seconds ago      Up 51 seconds (healthy)                                                                                    ethlogger
88dfcee683c4        splunk/splunk:latest         "/sbin/entrypoint.sh…"   53 seconds ago      Up 52 seconds (healthy)   8065/tcp, 8088-8089/tcp, 8191/tcp, 9887/tcp, 9997/tcp, 0.0.0.0:18000->8000/tcp   splunk
111b0c6d6072        hyperledger/besu:1.4.4       "besu"                   53 seconds ago      Up 52 seconds (healthy)   8545-8547/tcp, 30303/tcp                                                         besu

Use Splunk Enterprise as a Docker container

Requirements

Important

A Splunk license is not required to use the trial version of the Splunk Docker image. The image is not suitable for production use and has restrictions on daily log volume.

Note

If running Besu as a Docker container, consider using Splunk connect for Ethereum Docker Compose or Kubernetes instead of the Splunk Enterprise trial container.

Run Splunk Enterprise trial container

To start the Splunk Enterprise container:

docker run \
-e SPLUNK_START_ARGS=--accept-license \
-e SPLUNK_HEC_TOKEN=11111111-1111-1111-1111-1111111111113 \
-e SPLUNK_PASSWORD=changeme \
--rm \
-p8080:8000 -p8088:8088 \
-d \
--name splunk-demo \
splunk/splunk:latest

Once the service is started, connect on http://localhost:8080/ and login as the admin user with a password of changeme.

Tip

To follow the logs of the Splunk container:

docker logs -f splunk-demo

Create the Besu index

  1. In the Splunk web interface, navigate to the index list in the settings.
  2. Create an event index with an Index Name of besu.
  3. Leave other fields with the default values.
  4. Save the besu index.

Run Besu

To start a Besu node running in development mode:

LOGGER=Splunk \
SPLUNK_URL=https://localhost:8088 \
SPLUNK_TOKEN=11111111-1111-1111-1111-1111111111113 \
SPLUNK_SKIPTLSVERIFY=true \
besu \
--network=dev \
--miner-coinbase=0xfe3b557e8fb62b89f4916b721be55ceb828dbd73 \
--miner-enabled \
--logging=trace

The environment variables specified send the Besu logs to Splunk.

Only LOGGER, SPLUNK_URL, SPLUNK_TOKEN and SPLUNK_SKIPTLSVERIFY are required in our example. The complete list of options is in the Splunk options reference table.

Display the logs

In the Splunk web interface, navigate to the search page.

Type index="besu" in the search field. Log events sent by Besu are displayed.

Congratulations! You can now play with the search and other Splunk features to explore your Besu logs.

Splunk search page

Stop the demo

  1. To stop Besu, use Ctrl+C.
  2. To stop the Splunk container, use docker stop splunk-demo.

Run a Splunk Enterprise instance

Requirements

Important

A Splunk license is required to use Splunk Enterprise.

Download, install, and run Splunk Enterprise

Follow the steps in the Splunk Enterprise documentation.

Configure Splunk Enterprise

Once the Splunk Enterprise instance is ready:

  1. Log into the Splunk Enterprise web interface.
  2. Navigate to the settings to:

Run Besu and display logs

Run Besu the same way as when using Splunk on Docker.

Ensure you set the SPLUNK_URL value to match the HTTP Event Collector address and port.

Congratulations! You can now display logs and use the search engine.

Splunk options reference

Name Description Required
LOGGER Set to Splunk to activate sending logs to Splunk. Yes
HOST Current host. If in a Docker environment, the default value is the docker container ID. Otherwise, the default value is localhost. No
SPLUNK_URL URL of the Splunk HTTP Event Collector. For example, use https://localhost:8088 Yes
SPLUNK_TOKEN Authentication token, usually of the form 11111111-1111-1111-1111-111111111111 Yes
SPLUNK_INDEX Index to store logs. Defaults to besu No
SPLUNK_SOURCE Source of the logs. Defaults to besu No
SPLUNK_SOURCETYPE Sourcetype of the logs. Defaults to besu No
SPLUNK_BATCH_SIZE_BYTES Size of a log batch in bytes. Defaults to 65536 No
SPLUNK_BATCH_SIZE_COUNT Size of a log batch in number of events. Defaults to 1000 No
SPLUNK_BATCH_INTERVAL Interval at which to send log batches. Defaults to 500 No
SPLUNK_SKIPTLSVERIFY Whether to check the Splunk instance TLS certificate when sending data. Defaults to false No
Questions or feedback? You can discuss issues and obtain free support on Hyperledger Besu chat channel.
For Hyperledger Besu community support, contact the mailing list besu@lists.hyperledger.org