Configuration
Splunk Universal Forwarder
Configure outputs.conf file, located at /opt/splunkforwarder/etc/system/local/
with SSL put these stanza :
[tcpout]
defaultGroup = group1 # group name
disabled = false # enable
isLoadBalanced = False # no load balance
maxQueueSize = 1000 # queue size
indexAndForward = false # false indexing
[tcpout:group1]
server = 192.168.5.101:4433 # splunk server
sslCertPath = /opt/splunkforwarder/etc/auth/server.pem # ssl cert
sslPassword = $1$u0oVxHiXnWyJ # password will be encrypted automatically
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem # ssl ca
server.pem and cacert.pem you can get it from splunk server, located at /opt/splunk/etc/auth/ copy that files to splunkforwarder.
Without SSL put these stanza:
[tcpout]
defaultGroup = group1 # group name
disabled = false # enable
isLoadBalanced = False # no load balance
maxQueueSize = 1000 # queue size
indexAndForward = false # false indexing
[tcpout:group1]
server = 192.168.5.101:9997 # using 9997 and splunk server address is 192.168.5.101
Configure inputs.conf file, located at /opt/splunkforwarder/etc/system/local/
put these stanza :
[default]
host = dagelan.humor.com # register splunk forwarder host
[monitor:///var/log] # send all log files located at /var/log
[monitor:///var/ossec/log] # send all ossec log files located at /var/ossec/log/
Check universal forwarder connection
# tail -f /opt/splunkforwarder/var/log/splunk/splunkd.log
02-20-2012 09:51:52.068 +0700 INFO loader - Instantiated plugin: controlqueueoutputprocessor
02-20-2012 09:51:52.068 +0700 INFO PipelineComponent - Pipeline merging disabled in *mode.conf file
02-20-2012 09:51:52.068 +0700 INFO PipelineComponent - Pipeline typing disabled in *mode.conf file
02-20-2012 09:51:52.068 +0700 INFO PipelineComponent - Launching the pipelines.
02-20-2012 09:51:52.069 +0700 INFO loader - Server supporting SSL v2/v3
02-20-2012 09:51:52.069 +0700 INFO loader - Using cipher suite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
02-20-2012 09:51:52.170 +0700 INFO TailingProcessor - TailWatcher initializing...
02-20-2012 09:51:52.170 +0700 INFO TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk.
02-20-2012 09:51:52.172 +0700 INFO TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk/...stash_new.
02-20-2012 09:51:52.172 +0700 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/etc/splunk.version.
02-20-2012 09:51:52.173 +0700 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk.
02-20-2012 09:51:52.173 +0700 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log.
02-20-2012 09:51:52.173 +0700 INFO TailingProcessor - Parsing configuration stanza: monitor:///var/log/httpd/modsec_audit.log.
02-20-2012 09:51:52.173 +0700 INFO BatchReader - State transitioning from 2 to 0 (initOrResume).
02-20-2012 09:51:52.375 +0700 INFO WatchedFile - Will begin reading at offset=49285496 for file='/var/log/httpd/modsec_audit.log'.
02-20-2012 09:51:52.996 +0700 WARN TcpOutputFd - Connect to 192.168.5.101:9997 failed. Connection refused
02-20-2012 09:51:52.996 +0700 ERROR TcpOutputFd - Connection to host=192.168.5.101:9997 failed
02-20-2012 09:51:59.065 +0700 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
02-20-2012 09:52:22.007 +0700 INFO TcpOutputProc - Connected to idx=192.168.5.101:9997
Splunk Server
At splunk server just configure the inputs.conf at /opt/splunk/etc/system/local/
With SSL put these stanza :
[default]
host = ketoprak.humor.com # splunk server hostname
# The following configuration sets a global default for data payloads sent from the light forwarder.
# The route parameter is an ordered set of rules that is evaluated in order for each payload of cooked data.
[splunktcp]
route = has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue;
[splunktcp-ssl:4433] # using 4433 port for SSL
disabled = false
sourcetype = tcp-4433
queue=indexQueue
[SSL]
password = $1$1JEfLZrTO062
requireClientCert = false
rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem
open 4433 port
# iptables -I INPUT -p tcp -s 192.168.5.102 --dport 4433 -j ACCEPT
check port listening
# netstat -tnap | grep -e 4433
Without SSL put these stanza :
[default]
host = ketoprak.humor.com # splunk server hostname
# The following configuration directs Splunk to listen on TCP port 9997 for raw data from ANY remote server
# (not just a Splunk instance). The host of the data is set to the IP address of the remote server.
[tcp://:9997]
disabled = 0
# The following configuration sets a global default for data payloads sent from the light forwarder.
# The route parameter is an ordered set of rules that is evaluated in order for each payload of cooked data.
[splunktcp]
route = has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue;
# The following configuration directs Splunk to listen on TCP port 9997 for distributed search data from
# 192.168.5.102. The data is processed the same as locally indexed data.
[splunktcp://192.168.5.102:9997]
disabled = false
queue = parsingQueue
sourcetype = tcp-9968
open 9997 port
# iptables -I INPUT -p tcp -s 192.168.5.102 --dport 9997 -j ACCEPT
check port listening
# netstat -tnap | grep -e 9997
Check universal forwarder connection
# tail -f /opt/splunk/var/log/splunk/splunkd.log
Comments
Post a Comment