Menu

Dark

Running AppView With Cribl Edge in a Docker Container

This topic walks you through a setup procedure, and then through the two basic AppView techniques:

  1. AppView by PID – Instrumenting one process on one host or container.
  2. AppView by Rule – Instrumenting multiple processes on an entire Edge Fleet.

We assume that you have an Edge Leader running in Cribl.Cloud, you want to add a new Edge Node to its Fleet – and that that Edge Node will be in a Docker container (or another type of container that's also Open Container Initiative-compliant).

We assume that your goal is to appview processes running on the host where the new Edge Node’s Docker container resides, or, that run on other containers on that host.

You can easily modify these instructions to add more than one Edge Node and then use AppView by Rules to appview processes on the entire Fleet.

Setting Up a New Edge Node

In Cribl.Cloud:

  1. Click Manage Edge.
  2. Select the Fleet where you’ll be adding a Linux host – default_fleet is fine.
  3. From the Add/Update Edge Node drop-down, select Docker to open the Add Docker Node modal.

  4. Click Copy script and dismiss the modal.

    • Note: Several parameters provided on this modal can alter the contents of the script. Defaults are fine for this example.
    • Alternative: Copy the script from the docs.
  5. Note the value of Edge Nodes at upper left.

On the Linux host we want to observe with Edge:

  1. Paste the script into the shell.

  2. Add  -v /var/run/appview:/var/run/appview to the script.

    • This step is not necessary if you copied the script from the docs.
  3. Execute the script – this will run Edge in a Docker container.

Return to Cribl.Cloud UI to verify that the new Node is present:

  1. The value of Edge Nodes should have increased by 1.
  2. Select List View (and filtering by host if needed) – the new Edge Node should appear in the list.

At this point, Edge is running in a Docker container and is connected to the Edge Leader.

Scoping by PID

Still in Edge’s List View tab:

  1. Click the GUID for the host we’ve just added.
  2. Click the count of running processes at upper left to open a list view of processes.

On the Linux host:

  • In a shell, start a process you want to appview. For this example, let’s start top.

Back in Edge:

Within seconds, top should appear in the process list. (If you don’t see it, try filtering by command.) At this point top is running but is not yet instrumented by AppView.

  1. Select the top command's row to open the Process: top drawer.

  2. In the AppView tab, select the AppView Configuration we want to use for this process.

    • Select A sensible AppView configuration ... .

  3. Leave the default Source as in_appview.

    • If you use a different AppView Source, configure that Source to set General Settings > Optional Settings > UNIX socket permissions to 777.

  4. Click Start monitoring.

    • After a minute or so, you should see green checkmarks in all the Status columns.

Now you’ll want to confirm that Edge is receiving AppView data for the viewed top process.

On the Edge Leader, navigate to More > Sources and select AppView to open the Source page.

In the row where ID is in_appview:

  • The Source should be enabled.
  • Socket should be set to $CRIBL_HOME/state/appview.sock.
  • In the Status column, click Live, and you should now see events flowing.

Scoping by Rule

On the Linux host:

  • In your shell, start a process you want to appview. Again, let’s run top.

On the Edge Leader:

  • Navigate to More > Sources and select AppView to open the Source page.
  • Select the row where ID is in_appview .

In the AppView Rules tab, under Rules, click Add Rule and complete the Rule as follows:

  • Process name: top
  • Process argument: Skip this, because Process name and Process argument are mutually exclusive.
  • AppView config: Select A sensible AppView configuration ... .

Next:

  1. Click Save.
  2. Click Commit and provide a commit message.
  3. Click Commit and Deploy.

Wait for the changes to be deployed to the Edge Node – probably around 30 seconds.

  • Click the Live Data tab, and you should now see events flowing. Next, we'll show that any process matching your Rule gets viewed.

Back on the Linux host:

  1. In your shell, start another top process.
  2. Click the Live Data tab.

You should now see events flowing from two top processes – they’ll have different PIDs.

Return to Edge’s List View tab – the AppView column should indicate that both top processes are being viewed.

This gets to what’s so powerful about Rules: You can start processes after setting things up, and they get viewed.

Optionally, you can try the other two configurations and see how the viewed data changes. For the config that has payloads enabled, curl and wget are good choices.

If you want to do more, consider creating Routes and Pipelines in Cribl Edge, to send AppView data to your favorite Destination(s).

AppView

©2024 AppView | License