System Administration of Splunk Take the sh out

  • Slides: 15
Download presentation
System Administration of Splunk Take the sh out of IT.

System Administration of Splunk Take the sh out of IT.

What is it? • Search and analysis engine • Google like search of your

What is it? • Search and analysis engine • Google like search of your log data

Versions • Free – 500 MB/day – Reporting – Ad-hoc search • Enterprise (all

Versions • Free – 500 MB/day – Reporting – Ad-hoc search • Enterprise (all above and) – – 500 MB/day and more! Access controls Distributed Search, Load Balancing Monitoring & Alerting

OS Supported • • Windows (32 & 64 -bit) Linux Solaris OSX Free. BSD

OS Supported • • Windows (32 & 64 -bit) Linux Solaris OSX Free. BSD AIX HP-UX

Data Sources

Data Sources

Two parts of Splunk • Splunkd – Does all the heavy lifting. – Indexes

Two parts of Splunk • Splunkd – Does all the heavy lifting. – Indexes all files – Controls Access to data – Core component • Splunk. Web – User interface to the data – Cherry. PY web server

Two types of forwarder • Normal Forwarding • Lightweight Forwarding – Only difference is

Two types of forwarder • Normal Forwarding • Lightweight Forwarding – Only difference is Lightweight disables Splunk. Web

Setup 1 Single Server • Server 1 – Install Splunkd and Splunk. Web

Setup 1 Single Server • Server 1 – Install Splunkd and Splunk. Web

Configuration of Server 1 • Via Web. GUI under Manager tab • Add Receiver

Configuration of Server 1 • Via Web. GUI under Manager tab • Add Receiver Port to enable forwarders

Setup 2 Forwarder Setup (most common) • Server 1 – Install Splunkd and Splunk.

Setup 2 Forwarder Setup (most common) • Server 1 – Install Splunkd and Splunk. Web • Server. X – Install Splunkd

Configuration of Server. X • Via inputs. conf file and install script [default] host

Configuration of Server. X • Via inputs. conf file and install script [default] host = Server. X [Win. Event. Log: Security] index = Saa. SIndex 1 disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpoint. Interval = 5 [monitor: //E: logsW 3 SVC 259463726] _blacklist=(archive) disabled = false index = Saa. SIndex 1 SPLUNKetcsystemlocalinputs. conf • Or CLI – – Splunk add forward-server 1: 9500 –auth admin: changeme (or Server. Y if using a proxy type forwarding system) Splunk add monitor E: logsW 3 SVC 259463726 –index=Saa. SIndex 1

Setup 3 Proxy Forwarder • Server 1 – Install Splunkd and Splunk. Web •

Setup 3 Proxy Forwarder • Server 1 – Install Splunkd and Splunk. Web • Server. X – Install Splunkd • Server. Y – Install Splunkd

Configuration of Server. Y • Same as other server for local log file indexing

Configuration of Server. Y • Same as other server for local log file indexing • Need to setup to proxy traffic [pipeline: tcp] disabled = true [pipeline: udp] disabled = false SPLUNKetcappsSplunk. Light. Forwarderlocaldefault-mode. conf

Script to install on windows @echo off cls echo ============= echo Installation started echo

Script to install on windows @echo off cls echo ============= echo Installation started echo ============= setlocal IF "%PROCESSOR_ARCHITECTURE%" == "AMD 64" goto b 64 IF "%PROCESSOR_ARCHITEW 6432%" == "AMD 64" goto b 64 : b 32 set SPLUNK_MSI=E: Splunksplunk-4. 0. 9 -74233 -x 86 -release. msi goto endb 6432 : b 64 set SPLUNK_MSI=E: Splunksplunk-4. 0. 9 -74233 -x 64 -release. msi exit : endb 6432 set LOC=%Program. Files%Splunk msiexec. exe /i "%SPLUNK_MSI%" INSTALLDIR="%LOC%" LAUNCHSPLUNK=0 SPLUNK_APP="" AUTOSTARTSERVICE=1 /QUIET xcopy etc "%LOC%etc" /s /f /y pushd "%LOC%bin" splunk clean eventdata sample -f move "%LOC%etcsplunk-forwarder. license" "%LOC%etcsplunk. license" splunk restart splunk add index saas_dev -auth admin: changeme splunk add index saas_admin -auth admin: changeme splunk enable app Splunk. Light. Forwarder -auth admin: changeme splunk add forward-server 1. mydomain. com: 9500 -auth admin: changeme splunk stop

Key Things to Remember! • Never modify files in the default directories • When

Key Things to Remember! • Never modify files in the default directories • When using critical network links between sites use the limits. conf file to restrict Splunk • If you don’t know how something is working check the splunk site. Lots of great articles

2019 SPLUNK INC Splunk The DatatoEverything Platform Splunk2019 SPLUNK INC Splunk The DatatoEverything Platform Splunk
Copyright 2015 Splunk Inc Splunk Primeri uporabe SplunkaCopyright 2015 Splunk Inc Splunk Primeri uporabe Splunka
Copyright 2014 Splunk Inc Splunk 402 October 2015Copyright 2014 Splunk Inc Splunk 402 October 2015
Copyright 2015 Splunk Inc Splunk Enterprise security OurCopyright 2015 Splunk Inc Splunk Enterprise security Our
2013 Splunk Inc Introducing Hunk Splunk Analytics for2013 Splunk Inc Introducing Hunk Splunk Analytics for
TAKE OUT A CALCULATOR copyrightamberpasillas 2010 Take outTAKE OUT A CALCULATOR copyrightamberpasillas 2010 Take out
DO NOW Take out a protractor Take outDO NOW Take out a protractor Take out
Do Now Take out weekend homework Take outDo Now Take out weekend homework Take out
Robert Frost Out Out Out Out This isRobert Frost Out Out Out Out This is
Linux System Administration LINUX SYSTEM ADMINISTRATION Linux SystemLinux System Administration LINUX SYSTEM ADMINISTRATION Linux System
Linux System Administration LINUX SYSTEM ADMINISTRATION Linux SystemLinux System Administration LINUX SYSTEM ADMINISTRATION Linux System
System out println System out println Tutorials SystemSystem out println System out println Tutorials System
Health Administration Health Administration or Healthcare Administration isHealth Administration Health Administration or Healthcare Administration is
Account Administration SAP Account Administration Account Administration LearningAccount Administration SAP Account Administration Account Administration Learning