Installing Splunk Universal Forwarder?

-
Installing Splunk Universal Forwarder?
  • Navigate to https://www.splunk.com/en_us/download/universal-forwarder.html
  • Login to splunk.com if not done already.
  • Choose  the OS for which you want to download the forwarder.
    • In my case I will be using amazon linux, so I will choose a .rpm package.
  • Download and save on the machine from which you want to send the logs to your Splunk enterprise installation.
  • In my case its splunkforwarder-7.2.4-8a94541dcfac-linux-2.6-x86_64.rpm
[splunk@ip tmp]$ sudo rpm -ivh splunkforwarder-7.2.4-8a94541dcfac-linux-2.6-x86_64.rpm
[sudo] password for splunk:
warning: splunkforwarder-7.2.4-8a94541dcfac-linux-2.6-x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID b3cd4420: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:splunkforwarder-7.2.4-8a94541dcfa################################# [100%]
complete
[splunk@ip tmp]$
  • Once installed you will find your installation here "/opt/splunkforwarder"
  • Start your forwarder.
  • Make sure you configure to start your splunk daemon on startup so that you need not to start the service every now and then.
[splunk@ip bin]$ ./splunk start
[splunk@ip bin]$ sudo ./splunk enable boot-start
[sudo] password for splunk:
Init script installed at /etc/systemd/system/.
Init script is configured to run at boot.
[splunk@ip bin]$
  • To see what all forward-servers are configured, use "./splunk list forward-server"
    • As of now, nothing is configured.
[splunk@ip bin]$ ./splunk list forward-server
Splunk username: admin
Password:
Active forwards:
        None
Configured but inactive forwards:
        None
  • Lets configure one, to add a forward-server, use "./splunk add forward-server HOST_INDEXER:9997"
[splunk@ip bin]$ ./splunk add forward-server HOST_INDEXER:9997
Added forwarding to: HOST_INDEXER:9997.
[splunk@ip bin]$ ./splunk list forward-server
Active forwards:
        None
Configured but inactive forwards:
        HOST_INDEXER:9997
  • Now, lets add something to monitor, i.e. what do you want to send to the indexer?
    • Below are some sample parameters:
      • Log location
      • Index, on which index you want to save the events.
      • Sourcetype,
[splunk@ip bin]$ ./splunk add monitor /var/log/messages -index idx_messages -sourcetype linux_logs
Added monitor of '/var/log/audit'.
  • Once you have added the monitor, you will see that the entry moved from inactive forwards to active one.
[splunk@ip bin]$ ./splunk list forward-server 
Active forwards:
        HOST_INDEXER:9997
Configured but inactive forwards:
        None
[splunk@ip bin]$


  • If everything went well then you can see the data from your remote machine on the Splunk indexer.
    • Current status of messages log file:
      • -rw-------  1 splunk splunk          164418 Mar 10 13:52 messages
      • If you will see the screen dump given below it matches with the latest event.

Comments

Post a Comment

Popular posts from this blog

#3 Splunk sub(Commands) [eval, round, trim, stats, ceil, exact, floor, tostring]

-
Image
ROUND: Eval with round takes one or two numeric arguments, returning 'first value' rounded to the amount of decimal places specified in 'second value'.  By default it will remove all the decimals. Example: index=idx_messages sourcetype=linux_logs | eval new_rt= trim ( replace (response_time, "ms.", "")) | stats avg (new_rt) as Average | eval Average= round (Average) Remove all the decimal values. Example: | eval Average= round (Average,3) Rounded the value up-to 3 decimal places. Example: | eval Average= ceil (Average) Round the value up-to the next highest integer. Example: | eval Average= exact (Average) Give the output with maximum possible number of decimal values. Example: | eval Average= floor (Average) Round the value down to the nearest whole integer. Apart from this, there are other functions as well which are used by eval command, for instance pi (), sqrt () etc. TOSTRING: Hel
Read more

#6 Splunk sub(Commands) [fields, rename, replace, table, transaction]

-
FIELDS:  This command helps to keep or remove specified fields from the search results, below command will keep just three fields in your search result. Example: | fields request, rc, pt RENAME:  This command helps to rename field(s), below command will rename a field named as service to serviceType and RC as responseCode Example: | rename service AS serviceType, RC AS responseCode REPLACE:  This command helps to replace the values of fields with another value, below command will replace the values "fetchReport" and "viewReport" as "Report" in "serviceType' field. Example: | replace fetchReport with Report, viewReport with Report in serviceType TABLE: This command helps to format the results into tabular output. Example: | table request, rc, pt TRANSACTION:  This command helps to merge events into a single event based upon a common identifier, below command will create events based on two events i.e. it will fetch the txn-id w
Read more

#1 Splunk sub(Commands) [top, rare, fields, table, rename, sort]

-
Image
TOP: Will show you top results with respect to your field. Example: index=_internal | top limit=5 component RARE: Will help you to find out least common values of a field, i.e. it is similar to TOP but works in opposite direction. Example: index=_internal | rare limit=5 component FIELDS: Will help you to limit your columns, lets say you want to remove count from above table, fields can help you to achieve that. Though there are other usage of fields as well but you will learn slowly and gradually when you start building some complex queries. Example: index=_internal | top limit=5 component | fields component, percent TABLE: Same thing can be achieved via table as well. Example: index=_internal | top limit=5 component | table component, percent RENAME: Lets say you want to rename a column, for that you can use rename command. Example: index=_internal | top limit=5 component | rename percent AS percentage | t
Read more