System Administration of Splunk Take the sh out
- Slides: 15
System Administration of Splunk Take the sh out of IT.
What is it? • Search and analysis engine • Google like search of your log data
Versions • Free – 500 MB/day – Reporting – Ad-hoc search • Enterprise (all above and) – – 500 MB/day and more! Access controls Distributed Search, Load Balancing Monitoring & Alerting
OS Supported • • Windows (32 & 64 -bit) Linux Solaris OSX Free. BSD AIX HP-UX
Data Sources
Two parts of Splunk • Splunkd – Does all the heavy lifting. – Indexes all files – Controls Access to data – Core component • Splunk. Web – User interface to the data – Cherry. PY web server
Two types of forwarder • Normal Forwarding • Lightweight Forwarding – Only difference is Lightweight disables Splunk. Web
Setup 1 Single Server • Server 1 – Install Splunkd and Splunk. Web
Configuration of Server 1 • Via Web. GUI under Manager tab • Add Receiver Port to enable forwarders
Setup 2 Forwarder Setup (most common) • Server 1 – Install Splunkd and Splunk. Web • Server. X – Install Splunkd
Configuration of Server. X • Via inputs. conf file and install script [default] host = Server. X [Win. Event. Log: Security] index = Saa. SIndex 1 disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpoint. Interval = 5 [monitor: //E: logsW 3 SVC 259463726] _blacklist=(archive) disabled = false index = Saa. SIndex 1 SPLUNKetcsystemlocalinputs. conf • Or CLI – – Splunk add forward-server 1: 9500 –auth admin: changeme (or Server. Y if using a proxy type forwarding system) Splunk add monitor E: logsW 3 SVC 259463726 –index=Saa. SIndex 1
Setup 3 Proxy Forwarder • Server 1 – Install Splunkd and Splunk. Web • Server. X – Install Splunkd • Server. Y – Install Splunkd
Configuration of Server. Y • Same as other server for local log file indexing • Need to setup to proxy traffic [pipeline: tcp] disabled = true [pipeline: udp] disabled = false SPLUNKetcappsSplunk. Light. Forwarderlocaldefault-mode. conf
Script to install on windows @echo off cls echo ============= echo Installation started echo ============= setlocal IF "%PROCESSOR_ARCHITECTURE%" == "AMD 64" goto b 64 IF "%PROCESSOR_ARCHITEW 6432%" == "AMD 64" goto b 64 : b 32 set SPLUNK_MSI=E: Splunksplunk-4. 0. 9 -74233 -x 86 -release. msi goto endb 6432 : b 64 set SPLUNK_MSI=E: Splunksplunk-4. 0. 9 -74233 -x 64 -release. msi exit : endb 6432 set LOC=%Program. Files%Splunk msiexec. exe /i "%SPLUNK_MSI%" INSTALLDIR="%LOC%" LAUNCHSPLUNK=0 SPLUNK_APP="" AUTOSTARTSERVICE=1 /QUIET xcopy etc "%LOC%etc" /s /f /y pushd "%LOC%bin" splunk clean eventdata sample -f move "%LOC%etcsplunk-forwarder. license" "%LOC%etcsplunk. license" splunk restart splunk add index saas_dev -auth admin: changeme splunk add index saas_admin -auth admin: changeme splunk enable app Splunk. Light. Forwarder -auth admin: changeme splunk add forward-server 1. mydomain. com: 9500 -auth admin: changeme splunk stop
Key Things to Remember! • Never modify files in the default directories • When using critical network links between sites use the limits. conf file to restrict Splunk • If you don’t know how something is working check the splunk site. Lots of great articles
- Songs with poetic devices
- Take a bus or take a train
- Take out your notebook
- Take out your homework
- Take out your notebook
- Medea notes
- Signing naturally unit 9.10 minidialogue 1 answers
- Take out a sheet of paper
- Take out your homework
- Take out your homework
- Take out your homework
- Take out your homework
- Take out your notebook
- Take out your homework
- Fulcrum load
- Take out a sheet of paper