SplunkForwarder

 Install/Configure Splunkforwarder

# Download the universal forwarder from here: http://www.splunk.com/download/universalforwarder You will need an account to download it.
# Copy it up to the servers:
<pre>
for i in IPADDRESS1 IPADDRESS2 ; do scp splunkforwarder-5.0.1-143156-linux-2.6-x86_64.rpm DLopez@$i: ; done
</pre>
# Install RPM: *sudo rpm -ivh splunkforwarder-5.0.1-143156-linux-2.6-x86_64.rpm*
# Start splunk to create the necessary file structure:
<pre>
root@sc9vl55:/data01/home/DLopez> /etc/init.d/splunk start
Starting Splunk…

Splunk> Finding your faults, just like mom.

Checking prerequisites…
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in ‘/opt/splunkforwarder/etc/auth’.
Checking conf files for typos… Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)… Done
[ OK ]
</pre>
# Add the forward-server: */opt/splunkforwarder/bin/splunk add forward-server 10.92.13.195:9997*. Default user and password is *admin/changeme*. By default the inputs.conf and server.conf files are created on install of rpm, this add forward-server creates the outputs.conf file.
# Change the default credentials: */opt/splunkforwarder/bin/splunk edit user admin -password YOUR_NEW_PASSWORD -auth admin:changeme*
# Test forward connection: */opt/splunkforwarder/bin/splunk list forward-server*
# Finally add the data you want to forward: */opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%*. Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data. This will create an inputs.conf file here: */opt/splunkforwarder/etc/apps/search/local/inputs.conf*
# Restart splunk: */etc/init.d/splunk restart*

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s