Download and extract the Splunk Enterprise version Tạo tài khoản và tải Splunk tại : https://www.splunk.com/ Dùng phần mềm FileZilla, copy file mới tải về đưa vào /tmp Now extract the ta
Trang 1Cài Splunk trên CentOS 7
https://linoxide.com/monitoring-2/install-splunk-centos-7/
1 Create a Splunk User
Dùng quyền root
groupadd splunk
useradd -d /opt/splunk -m -g splunk splunk
su - splunk
id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)
Confirm the server architecture
getconf LONG_BIT
64
2 Download and extract the Splunk Enterprise version
Tạo tài khoản và tải Splunk tại : https://www.splunk.com/
Dùng phần mềm FileZilla, copy file mới tải về đưa vào /tmp
Now extract the tar file and copy the files to the Splunk application folder namely /opt/splunk (đây là thư mục gốc của user splunk theo câu lệnh ở trên) created
tar -xvf splunk-7.0.0-c8a78efdd40f-Linux-x86_64.tgz
cp -rp splunk/* /opt/splunk/
chown -R splunk: /opt/splunk/
3 Splunk Installation
Once the Splunk software is downloaded, you can login to your Splunk user and run the installation script
I choose the trial license, so it will take it by default
su - splunk
cd bin/
./splunk start accept-license
Now you can access your Splunk Web interface at http://IP:8000/ or http://hostname:8000 You need to make sure this port 8000 is open in your server firewall
4 Configuring Splunk Web Interface
I've completed with my installation and I've my Splunk Service up & running in my server Now I need to set-up my Splunk Web interface I accessed my Splunk web interface and set my administrator password First time when you're accessing the Splunk interface, you can use the user/password provided in the page which is admin/changeme in this case Once logged in, on the very next page it will ask to change and confirm your new password
Đặt mật khẩu mới cho user admin là '1'
Để sử dụng giao diện web tiếng Anh, overwrite 'en-US' Ví dụ:
http://192.168.1.250:8000/en-US
5 Adding a task
Trang 2I'm adding an example for a simple task which is been added to the Splunk system Just see my snapshots
to understand how I added it My task is to add /var/log folder to the Splunk system for monitoring
1 Open up the Splunk Web interface Click on the Settings Tab >> Choose the Add Data option
2 The Add Data Tab opens up with three options: Upload, Monitor and Forward Here our task is to monitor a folder, so we go ahead with Monitor
In the Monitor option, there are four categories as below:
File & Directories : To monitor files/folders
HTTP Event Collector : Monitor data streams over HTTP
TCP/UDP : Monitor Service ports
Scripts : Monitor Scripts
3 According to our purpose, I choose the Files & Directories option
4 Now, I'm choosing the exact folder path from the server to monitor Once you confirm with the settings, you can click Next and Review
Chọn thư mục /var/log
6 Enable a receiver (để các Universal Forwarder gửi log đến)
Muốn Spunk nhận được các bản log từ nơi khác thì phải mở port receiving (listen port) Hướng dẫn ở: http://docs.splunk.com/Documentation/Splunk/7.0.0/Forwarding/Enableareceiver
Tại server : Có 3 cách để mở port listen trên server, nên dùng cách sửa file cấu hình inputs.conf
6.1 Splunk Web
Log into the receiver as admin or an administrative equivalent
1. Click Settings > Forwarding and receiving.
2. At Configure receiving, click Add new.
3. Specify the TCP port you want the receiver to listen on (the listening port, also known as
the receiving port) For example, if you enter "9997," the receiver listens for connections from forwarders on port 9997 You can specify any unused port You can use a tool like netstat to determine what ports are available on your system Make sure the port you select is not in use by splunkweb or splunkd
4. Click Save Splunk software starts listening for incoming data on the port you specified.
6.2 Set up receiving with Splunk CLI
1. From a shell or command prompt, change to the $SPLUNK_HOME/bin directory:
2. cd $SPLUNK_HOME/bin
3. Run the CLI command to enable receiving:
splunk enable listen <port> -auth <username>:<password>
Trang 3username và password là 'admin' và '1' Theo như cài đặt ở trên.
Kiểm tra port nào đã sử dụng:
netstat -nan
Kiểm tra kết nối cụ thể đến 1 port (VD: 22)
netstat -nan | grep 22
6.3 Set up receiving with configuration files
You can enable receiving on your Splunk Enterprise instance by
configuring inputs.conf in $SPLUNK_HOME/etc/system/local You might need to create this file if it does not exist
1. With a text editor, open inputs.conf in $SPLUNK_HOME/etc/system/local
2. Add a [splunktcp] stanza that specifies the receiving port In this example, the receiving port is 9997:
3. [splunktcp://9997]
4. disabled = 0
5. Restart Splunk software for the changes to take effect
Tại Client dùng Uni … :
6.4 Tải
http://docs.splunk.com/Documentation/Forwarder/7.0.0/Forwarder/Installanixuniversalforwarder#Install_t he_universal_forwarder_on_Linux
Tải file có đuôi tgz tại https://www.splunk.com/en_us/download/universal-forwarder.html
Copy file vào /tmp qua phần mềm File Zilla
Giải nén vào thư mục /opt
tar xvzf splunkforwarder-7.0.0-c8a78efdd40f-Linux-x86_64.tgz -C /opt
6.5 Cấu hình universal forwarder
http://docs.splunk.com/Documentation/Splunk/5.0.18/Deploy/Deployanixdfmanually
Tại máy Forwarder chạy lệnh:
/opt/splunkforwarder/bin/splunk start
1 Configure universal forwarder to auto-start:
root@ubuntu:/opt/splunkforwarder/bin# /splunk enable boot-start
2 Cấu hình output Sửa file outputs.conf
nano /opt/splunkforwarder/etc/system/local/outputs.conf
Sửa các dòng như sau:
[tcpout]
defaultGroup = default-autolb-group
Trang 4server = 192.168.28.149:9997
[tcpout-server://192.168.28.149:9997]
Đó là địa chỉ của máy splunk
Debug:
/opt/splunk/bin/splunk btool inputs list debug
/opt/splunk/bin/splunk btool outputs list debug
7. DÙNG SYSLOG-NG trên Ubuntu để gửi log cho Splunk: Get data from TCP and UDP ports
Tại servevr
1 Click Settings.
2 Click Data Inputs.
3 Choose TCP or UDP.
Trang 54 Click New to add an input.
5 In the Source name override field, enter a new source name to override the default source value, if
necessary
Note: Consult Splunk Support before changing the "Source name override" value.
6 Click Next to continue to the Input Settings page.
Specify input settings
Trang 6Click Review Submit Start Searching
Trang 7Cài đặt Syslog-ng và disable Rsyslog đang chạy mặc định Sửa file cấu hình Syslog-ng tại máy client linux:
nano /etc/syslog-ng/syslog-ng.conf
destination remote_log_server {
tcp("192.168.28.149" port(5500));
};
log { source(s_src); destination(remote_log_server); }; service syslog-ng restart
Kiểm tra kết quả:
Kiểm tra tại máy client linux:
cat /var/log/syslog
Kiểm tra tại máy Splunk server:
Tại ứng dụng web Splunk tại server:
Trang 108. DÙNG universal forwarder trên Windows để gửi log cho Splunk:
Tải universal forwarder
Tải về và cài đặt như bình thường: https://www.splunk.com/en_us/download/universal-forwarder.html http://docs.splunk.com/Documentation/Forwarder/7.0.0/Forwarder/HowtoforwarddatatoSplunkEnterprise Tắt tường lửa
Vào thư mục bin của Universal Forwarder bằng PowerShell (mở = quyền ADMIN)
cd C:\Program Files\SplunkUniversalForwarder\bin
.\splunkr.exe add forward-server 192.168.28.149:1607
username/password là : admin/changeme
Lưu ý: Nên mở 1 port độc lập khác so với client linux ở trên
Configure the universal forwarder as a deployment client
.\splunk set deploy-poll <host>:<port>
host is the name or IP address of the deployment server
port is the management port of the deployment server It defaults to 8089
Configure the universal forwarder to send data to Splunk Enterprise
Vô coi log: Envent viewer
cd %SPLUNK_HOME%\etc\system\local
Edit the file by adding stanzas to inputs.conf
# Windows platform specific input processor
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
Restart splunk = command in powershell windows = adminis , go to
C:\Program Files\SplunkUniversalForwarder\bin
Install an add-on into the universal forwarder
1. Stop the universal forwarder
Trang 11cd %SPLUNK_HOME%\bin \splunk stop
2. Download the add-on from Splunkbase, if you have not already
Download the Splunk Add-on for Windows from Splunkbase
Tải xong đưa file vào ổ C:\
3. Install the add-on into the universal forwarder
> \splunk.exe install app C:\splunk-add-on-for-microsoft-windows_484.tar.gz
App 'windows' is installed
4. (Optional) Configure the add-on on the forwarder by editing configuration files or running scripts included with the add-on
Tạo thư mục
$SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local
Tạo file
%SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\inputs.conf
Copy nội dung file inputs.conf ở:
C:\Program Files\SplunkUniversalForwarder\etc\system
vào file inputs.conf ở:
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local
Restart the universal forwarder
CÁCH 2:
Xem file:
[123doc] - do-an-splunk-enterprise.pdf