Deploying an environment Operating system
Server OS Version: CentOS release 6.5 (Final) 2.6.32-431.el6.x86_64
Software
Software version: splunk-6.4.0
Tar
Splunk-6.4.0-f2c836328108-linux-x86_64.tgz
Splunkforwarder-6.4.0-f2c836328108-linux-x86_64.tgz
rpm:splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm
splunkforwarder-6.4.0-f2c836328108-linux-2.6-x86_64.rpm
IP Address
Splunk Server IP Address: 192.168.0.156
Splunkforwarder Server address: 192.168.0.140
Splunk Installing the TAR installation Splunk
Splunkforwarder
Tar xzfv/usr/src/splunkforwarder-6.4.0-f2c836328108-linux-x86_64.tgz-c/usr/local/
echo "Export path=/usr/local/splunkforwarder/bin: $PATH" >>/etc/profile
Source/etc/profile
RPM Installation Splunksplunkforwarder
rpm-ivh/usr/src/splunkforwarder-6.4.0-f2c836328108-linux-2.6-x86_64.rpm
echo "Export path=/opt/splunkforwarder/bin: $PATH" >>/etc/profile
Source/etc/profile
Start off
Start: Splunk start
Close: Splunk stop
Restart: splunk restart
Set boot up
Splunk Enable Boot-start
Changing the Web port and management port
L Splunk Set Splunkd-port 9998
L Splunk Set Web-port 80
To configure the basic configuration file Splunk
$SPLUNK _home/etc/system/local/inputs.conf
$SPLUNK _home/etc/system/local/server.conf
$SPLUNK _home/etc/system/local/web
Splunkforward
$SPLUNK _home/etc/system/local/inputs.conf
$SPLUNK _home/etc/system/local/outputs.conf
$SPLUNK _home/etc/system/local/server.conf
Splunkinputs.conf
[Default]
Host = 192.168.0.156
index = _internal
[splunktcp:///9997]
Server.conf
[General]
ServerName = 192.168.0.156
Sessiontimeout = 1h
Web
[Settings]
Startwebserver = 1
Httpport = 80
Mgmthostport = 127.0.0.1:8089
Splunkforwarderinputs.conf
[Default]
index = _internal
Host = 192.168.0.140
[Monitor:///var/log/maillog]
[Monitor:///usr/local/tomcat-7.0.67/logs/catalina.out]
[Monitor:///usr/local/jboss-5.1.0.ga/server/default/log/server.log]
SourceType = log4j
Outputs.conf
[Tcpout]
Defaultgroup=my_server
[Tcpout:my_server]
server=192.168.0.156:9997
[tcpout-server://192.168.0.156:9997]
Server.conf
[General]
ServerName = 192.168.0.140
Sessiontimeout = 1h
Crack hack splunk import data 500M limit
CD $ splunk_home
Vim lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/licensing.py
if action = = ' Add ' and not pool_object.quota_bytes[' Byte_value ']:
Quota_value = max (0, Int (unallocated_bytes/2**20))
Quota_value = quota_value * 1024 * 1024
Else
Quota_value = (pool_object.quota_bytes[' byte_value ') or 0)/2**20
Quota_value = quota_value * 1024 * 1024
#quota_units = ' MB '
quota_units = ' TB '
MV Lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/licensing.pyo/root
Splunk restart
Change license
Change to: free license Group
Web mode (Access http://plunk_server_ip:8000 using a browser)
Settings Authorization Change license group
Select free license
Restart Splunk
The following reprint data source configuration host log use Syslog service Linux host/firewall/switch
Linux/vpn Gateways/Firewalls/switches and other devices supporting UDP/TCP log transfer to the Splunk server using the Udp/tcp transfer method
Operation Steps:
Splunk Listening Port
Enable listening ports on the Splunk to accept logs
tcp:514 Port
udp:514 Port
Web mode:
Add Data >>syslog>>UDP>> New
Fill 514 Ports
If TCP is used, the operation is in the same way as UDP
Linux/vpn Gateways/Firewalls/switches and other configurations send logs to the Splunk server
Take Linux as an example:
Configuring the Rsyslog service in Linux
# vim/etc/rsyslog.conf
* * @192.168.3.70:514 #udp模式
Restart Rsyslog
# Service Rsyslog Restart
Application log
Dependent Splunk Universal Forwarder
WebLogic and Oracle Logs
Splunk and Splunkforward Simple deployment configuration