Splunk and Splunkforward Simple deployment configuration

Source: Internet
Author: User
Tags syslog rsyslog splunk universal forwarder

Deploying an environment Operating system

Server OS Version: CentOS release 6.5 (Final) 2.6.32-431.el6.x86_64

Software

Software version: splunk-6.4.0

Tar

Splunk-6.4.0-f2c836328108-linux-x86_64.tgz

Splunkforwarder-6.4.0-f2c836328108-linux-x86_64.tgz

rpm:splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm

splunkforwarder-6.4.0-f2c836328108-linux-2.6-x86_64.rpm

IP Address

Splunk Server IP Address: 192.168.0.156

Splunkforwarder Server address: 192.168.0.140

Splunk Installing the TAR installation Splunk

Splunkforwarder

Tar xzfv/usr/src/splunkforwarder-6.4.0-f2c836328108-linux-x86_64.tgz-c/usr/local/

echo "Export path=/usr/local/splunkforwarder/bin: $PATH" >>/etc/profile

Source/etc/profile

RPM Installation Splunksplunkforwarder

rpm-ivh/usr/src/splunkforwarder-6.4.0-f2c836328108-linux-2.6-x86_64.rpm

echo "Export path=/opt/splunkforwarder/bin: $PATH" >>/etc/profile

Source/etc/profile

Start off

Start: Splunk start

Close: Splunk stop

Restart: splunk restart

Set boot up

Splunk Enable Boot-start

Changing the Web port and management port

L Splunk Set Splunkd-port 9998

L Splunk Set Web-port 80

To configure the basic configuration file Splunk

$SPLUNK _home/etc/system/local/inputs.conf

$SPLUNK _home/etc/system/local/server.conf

$SPLUNK _home/etc/system/local/web

Splunkforward

$SPLUNK _home/etc/system/local/inputs.conf

$SPLUNK _home/etc/system/local/outputs.conf

$SPLUNK _home/etc/system/local/server.conf

Splunkinputs.conf

[Default]

Host = 192.168.0.156

index = _internal

[splunktcp:///9997]

Server.conf

[General]

ServerName = 192.168.0.156

Sessiontimeout = 1h

Web

[Settings]

Startwebserver = 1

Httpport = 80

Mgmthostport = 127.0.0.1:8089

Splunkforwarderinputs.conf

[Default]

index = _internal

Host = 192.168.0.140

[Monitor:///var/log/maillog]

[Monitor:///usr/local/tomcat-7.0.67/logs/catalina.out]

[Monitor:///usr/local/jboss-5.1.0.ga/server/default/log/server.log]

SourceType = log4j

Outputs.conf

[Tcpout]

Defaultgroup=my_server

[Tcpout:my_server]

server=192.168.0.156:9997

[tcpout-server://192.168.0.156:9997]

Server.conf

[General]

ServerName = 192.168.0.140

Sessiontimeout = 1h

Crack hack splunk import data 500M limit

CD $ splunk_home

Vim lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/licensing.py

if action = = ' Add ' and not pool_object.quota_bytes[' Byte_value ']:

Quota_value = max (0, Int (unallocated_bytes/2**20))

Quota_value = quota_value * 1024 * 1024

Else

Quota_value = (pool_object.quota_bytes[' byte_value ') or 0)/2**20

Quota_value = quota_value * 1024 * 1024

#quota_units = ' MB '

quota_units = ' TB '

MV Lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/licensing.pyo/root

Splunk restart

Change license

Change to: free license Group

Web mode (Access http://plunk_server_ip:8000 using a browser)

Settings Authorization Change license group

Select free license

Restart Splunk

The following reprint data source configuration host log use Syslog service Linux host/firewall/switch

Linux/vpn Gateways/Firewalls/switches and other devices supporting UDP/TCP log transfer to the Splunk server using the Udp/tcp transfer method

Operation Steps:

Splunk Listening Port

Enable listening ports on the Splunk to accept logs

tcp:514 Port

udp:514 Port

Web mode:

Add Data >>syslog>>UDP>> New

Fill 514 Ports

If TCP is used, the operation is in the same way as UDP

Linux/vpn Gateways/Firewalls/switches and other configurations send logs to the Splunk server

Take Linux as an example:

Configuring the Rsyslog service in Linux

# vim/etc/rsyslog.conf

* * @192.168.3.70:514 #udp模式

Restart Rsyslog

# Service Rsyslog Restart

Application log

Dependent Splunk Universal Forwarder

WebLogic and Oracle Logs

Splunk and Splunkforward Simple deployment configuration

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.