Splunk and Splunkforward Simple deployment configuration

Deploying an environment Operating system

Server OS Version: CentOS release 6.5 (Final) 2.6.32-431.el6.x86_64

Software

Software version: splunk-6.4.0

Tar

Splunk-6.4.0-f2c836328108-linux-x86_64.tgz

Splunkforwarder-6.4.0-f2c836328108-linux-x86_64.tgz

rpm:splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm

splunkforwarder-6.4.0-f2c836328108-linux-2.6-x86_64.rpm

IP Address

Splunk Server IP Address: 192.168.0.156

Splunkforwarder Server address: 192.168.0.140

Splunk Installing the TAR installation Splunk

Splunkforwarder

Tar xzfv/usr/src/splunkforwarder-6.4.0-f2c836328108-linux-x86_64.tgz-c/usr/local/

echo "Export path=/usr/local/splunkforwarder/bin: $PATH" >>/etc/profile

Source/etc/profile

RPM Installation Splunksplunkforwarder

rpm-ivh/usr/src/splunkforwarder-6.4.0-f2c836328108-linux-2.6-x86_64.rpm

echo "Export path=/opt/splunkforwarder/bin: $PATH" >>/etc/profile

Source/etc/profile

Start off

Start: Splunk start

Close: Splunk stop

Restart: splunk restart

Set boot up

Splunk Enable Boot-start

Changing the Web port and management port

L Splunk Set Splunkd-port 9998

L Splunk Set Web-port 80

To configure the basic configuration file Splunk

$SPLUNK _home/etc/system/local/inputs.conf

$SPLUNK _home/etc/system/local/server.conf

$SPLUNK _home/etc/system/local/web

Splunkforward

$SPLUNK _home/etc/system/local/inputs.conf

$SPLUNK _home/etc/system/local/outputs.conf

$SPLUNK _home/etc/system/local/server.conf

Splunkinputs.conf

[Default]

Host = 192.168.0.156

index = _internal

[splunktcp:///9997]

Server.conf

[General]

ServerName = 192.168.0.156

Sessiontimeout = 1h

Web

[Settings]

Startwebserver = 1

Httpport = 80

Mgmthostport = 127.0.0.1:8089

Splunkforwarderinputs.conf

[Default]

index = _internal

Host = 192.168.0.140

[Monitor:///var/log/maillog]

[Monitor:///usr/local/tomcat-7.0.67/logs/catalina.out]

[Monitor:///usr/local/jboss-5.1.0.ga/server/default/log/server.log]

SourceType = log4j

Outputs.conf

[Tcpout]

Defaultgroup=my_server

[Tcpout:my_server]

server=192.168.0.156:9997

[tcpout-server://192.168.0.156:9997]

Server.conf

[General]

ServerName = 192.168.0.140

Sessiontimeout = 1h

Crack hack splunk import data 500M limit

CD $ splunk_home

Vim lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/licensing.py

if action = = ' Add ' and not pool_object.quota_bytes[' Byte_value ']:

Quota_value = max (0, Int (unallocated_bytes/2**20))

Quota_value = quota_value * 1024 * 1024

Else

Quota_value = (pool_object.quota_bytes[' byte_value ') or 0)/2**20

Quota_value = quota_value * 1024 * 1024

#quota_units = ' MB '

quota_units = ' TB '

MV Lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/licensing.pyo/root

Splunk restart

Change license

Change to: free license Group

Web mode (Access http://plunk_server_ip:8000 using a browser)

Settings Authorization Change license group

Select free license

Restart Splunk

The following reprint data source configuration host log use Syslog service Linux host/firewall/switch

Linux/vpn Gateways/Firewalls/switches and other devices supporting UDP/TCP log transfer to the Splunk server using the Udp/tcp transfer method

Operation Steps:

Splunk Listening Port

Enable listening ports on the Splunk to accept logs

tcp:514 Port

udp:514 Port

Web mode:

Add Data >>syslog>>UDP>> New

Fill 514 Ports

If TCP is used, the operation is in the same way as UDP

Linux/vpn Gateways/Firewalls/switches and other configurations send logs to the Splunk server

Take Linux as an example:

Configuring the Rsyslog service in Linux

# vim/etc/rsyslog.conf

* * @192.168.3.70:514 #udp模式

Restart Rsyslog

# Service Rsyslog Restart

Application log

Dependent Splunk Universal Forwarder

WebLogic and Oracle Logs

Splunk and Splunkforward Simple deployment configuration