Installation Of Splunk Server
Configure Splunk server on 192.168.10.209
1. Download latest splunk.tar.gz from http://www.splunk.com/download?r=header
2. copy download files to /opt
3. untar the downloaded splunk file
1. Download latest splunk.tar.gz from http://www.splunk.com/download?r=header
2. copy download files to /opt
3. untar the downloaded splunk file
# cd /opt # tar -xzvf splunk-4.0.8-73243-Linux-i686.tgz # cd splunk/bin/ # ./splunk start
Accecpt the agreement and default settings.
4. Open the splunk webUI (http://localhost:8000)
5. Use the default username password to login i.e. admin/changeme
5. Use the default username password to login i.e. admin/changeme
#### Setup splunk as a Reciever #####
1. Login to WebUI using the above mentioned credentionals. eg. http://192.168.10.209:8000
2. Go to Manager » Forwarding and receiving » Receive data
3. Click on New Button and add default port i.e. 9997
4. Click on save button to save the settings.
Now Splunk server has been setup as reciever on port 9997.
1. Login to WebUI using the above mentioned credentionals. eg. http://192.168.10.209:8000
2. Go to Manager » Forwarding and receiving » Receive data
3. Click on New Button and add default port i.e. 9997
4. Click on save button to save the settings.
Now Splunk server has been setup as reciever on port 9997.
Note: If you are running any firewall please allow the above Port.
####### Setup Splunk as a Forwarder ####
IP Add of forwarder machine: 192.168.10.225
IP Add for Reciever server: 192.168.10.209
IP Add of forwarder machine: 192.168.10.225
IP Add for Reciever server: 192.168.10.209
You have the following preconfigured forwarder choices:
* Splunk forwarder
* Splunk light forwarder
1. ssh to forwarder machine(whom to be monitored) eg. ssh ramesh@192.168.10.225
2. Use the above mentioned installation steps to install splunk on client machine
3.
* Splunk forwarder
* Splunk light forwarder
1. ssh to forwarder machine(whom to be monitored) eg. ssh ramesh@192.168.10.225
2. Use the above mentioned installation steps to install splunk on client machine
3.
# cd /opt/splunk/bin # ./splunk enable app SplunkLightForwarder -auth admin # ./splunk add forward-server reciever_serverip:port -auth admin eg. ./splunk add forward-server 192.168.10.209:9997 -auth admin # ./splunk restart
######## Setup Splunk Alerts #########
NOTE: We assume that splunk server has been installed on a Linux Box.
NOTE: We assume that splunk server has been installed on a Linux Box.
1. Login to Splunk server (http://192.168.10.209:8000)
2. Go to App >> Search
3. Click on /var/log/secure under source section
Above will show the whole data of secure file
4. Click on the string/strings that you want to search or setup alert. Eg. “Accepted Password”
2. Go to App >> Search
3. Click on /var/log/secure under source section
Above will show the whole data of secure file
4. Click on the string/strings that you want to search or setup alert. Eg. “Accepted Password”
It will look like source=”/var/log/secure” “Accepted Password” in search box.
5. Then go to Action >> Save Search
It will pop-up a window.
6. Name – SSH Access Authenticated
Search – will be coming default that we search earlier.
Description – It can be anything you like.
Check on Schedule this search
Schedule Type – Basic
Run Every – Minute
Alert Condition
Perform actions (optional) – if no. of events – is greater than – 0
Alert Action
check on send Email
Email Addresses: abc@abc.com,xyz@xyz.com
It will pop-up a window.
6. Name – SSH Access Authenticated
Search – will be coming default that we search earlier.
Description – It can be anything you like.
Check on Schedule this search
Schedule Type – Basic
Run Every – Minute
Alert Condition
Perform actions (optional) – if no. of events – is greater than – 0
Alert Action
check on send Email
Email Addresses: abc@abc.com,xyz@xyz.com
Click on save Button to save your Alert.
To verify Your alert setup go to
Manager » Searches and reports >> SSH Access Authenticated
Manager » Searches and reports >> SSH Access Authenticated
Walang komento:
Mag-post ng isang Komento