0x00  First knowing spunk

1. Company:

American Splunk Company was established in 2004 and listed on the Nasdaq in 2012. It is the first big data listed company and has won numerous awards and honors. Headquartered in San Francisco, USA, London is an international headquarters, Hong Kong has an Asia-Pacific support center, and Shanghai has the first overseas R&D center. Currently, the largest customer license in China is 800GB/day. Products: Splunk Enterprise [Enterprise Version], Splunk Free [Free Version], Splunk Cloud, Splunk Hunk [Big Data Analysis Platform], Splunk Apps [Enterprise Version-based Plugin], etc.

2. Product:

Splunk Enterprise, enterprise version, B/S architecture, charges by license, that is, the amount of data indexed every day.

(Purchase a 20GB license, by default, you can index 20G data every day; purchase it once forever; if you use the trial version, you will switch to the free version after the trial period ends)

Splunk Free, free version, with a maximum data index of 500MB per day, and can use most enterprise version functions.

(The free version does not have functions such as: authentication, distributed search, clustering, etc.)

Splunk Universal Forwarder, a universal forwarder, is a data acquisition component provided by Splunk. It is free, deployed on the data source side, has no UI interface, is very lightweight, and takes up little resources.

(The forwarder is free without a license; it is dedicated to the enterprise version; so it is deployed on a data source, for example: deployed on your WEB server, monitor your WEB logs, monitor them in real time, forward one log when generated, and perform incremental forwarding; generally configure the configuration file to modify or use CLI commands. It occupies little resources)

III. What is Splunk?

Full-text search engine for machine data;

(Use search engines to process data; supports massive data processing)

Quasi-real-time log processing platform;

Time series based indexer;

Big data analysis platform;

An integrated platform: data acquisition-storage-analysis-visualization;

A universal search engine, no data source or data format;

Provides a patented search language SPL (Search Processing Language), which is syntactically similar to SQL language

Splunk Apps offers more features

(For operating systems and Cisco network devices, spunk provides dedicated APPs, and you can see intuitive dashboards when you access data sources.)

IV. What is machine data?

Machine data refers to: log data, performance data, and network data packets generated by devices and software. These data are all unstructured data. We can collect these data into spunk. Splunk can index, investigate, monitor, visualize, etc.

V. Splunk component

Indexer: An indexer is a Splunk Enterprise instance used to create indexes for data. The indexer converts the raw data into events and stores the events into the index (Index). The indexer also searches for index data in response to search requests.

Search header: In a distributed search environment, the search header is a Splunk Enterprise instance that processes search management functions, guides search requests to a group of search nodes, and then merges the results back to the user. If the instance searches only and does not index, it is usually called a dedicated search header.

Search node: In a distributed search environment, a search node is a Splunk that creates an index and completes a search request from a search header

Enterprise instance.

Forwarder: A forwarder is a Splunk Enterprise instance that forwards data to another Splunk Enterprise instance (indexer or another forwarder) or to a third-party system.

Receiver: The receiver is a Splunk Enterprise instance configured to receive data from the forwarder. The receiver is an indexer or another repeater.

Application: Application is a collection of configuration, knowledge objects, and customer-designed views and dashboards that extend Splunk

Enterprise environment to suit the specific needs of organizational teams such as Unix or Windows system administrators, network security experts, website managers, business analysts, etc. A single Splunk Enterprise installation can run multiple applications simultaneously.

VI. Splunk distributed architecture

As shown in the picture above:

1. It can be divided into three layers: the first layer is the data source: such as application server, service bus, network equipment, firewall, etc.

2. If you want to collect this data, for example: the application server can install the spunk forwarder, and the data of the firewall can be sent to the intermediate layer of Splunk through the TCP\UPD port. The intermediate layer of Splunk is called the indexer (receiver) of spunk, and the data will be stored in this layer.

3. Users use search

head searches instance, search head sends search requests to each indexer. Then collect the results into the search head and finally present them to the user for viewing.

4. The forwarder of the data source will forward the data to multiple spunk instances, and the forwarder will perform automatic load balancing.

7. General-purpose transponder

Repeaters are divided into three types: Heavy, Light and Universal.

The most commonly used one is a universal forwarder, which is rarely used in the other two categories.

Compared to a full Splunk Enterprise instance, the only purpose of a general-purpose forwarding is to forward data. Unlike full Splunk Enterprise instances, you cannot index or search for data using a universal forwarder.

For higher performance and lower memory footprint, it has several limitations:

The universal forwarder does not have search, index or alarm functions.

The general-purpose forwarder does not parse data.

The general-purpose forwarder does not output data through syslog.

Unlike full Splunk Enterprise, the universal forwarder does not include a bundled Python version.

0x01 Install Splunk on Linux

1. Configuration time:

Configurable time

It is recommended to build an NTP server within the enterprise and point all related devices to the server.

(If the time of each machine is inconsistent, a problem will arise. Therefore, it is recommended to build an NTP server so that the time of all devices is directed to the NTP server and that all devices can be unified in time)

2. Installation preparation

This installation is based on CentOS 6.7, 64-bit

It is recommended to deploy in a 64-bit environment

Splunk Enterprise:

spunk-6.4.2-00f5bb3fa822-Linux-x86_64.tgz

Splunk Universal Repeater :

splunkforwarder-6.4.2-00f5bb3fa822-Linux-x86_64.tgz

This time, it is installed as root user (can use non-root)

three,

Installation step 1), wget download tgz's compressed package.

wget -chttps://download.splunk.com/products/splunk/releases/6.5.1/linux/splunk-6.5.1-f74036626f0c-Linux-x86_64.tgz;

2) Decompress: #tar

-zxvf spunk-6.5.1-f74036626f0c-Linux-x86_64.tgz -C /opt (by default we decompress to /opt directory)

3) The executable programs of spunk are placed under /opt/splunk/bin/. When starting the program, you should execute spunk. The parameters of the spunk command are as follows:

#Note: We call the following command CLI command, as follows: Both the general forwarder and the spunk command can be executed as follows

./splunk

start //Start spunk

--accept-license //automatically receive licenses

restart //Restart spunk

status //Check spunk status

version //View spunk version

When starting, remember to add –accept-license, so that it will be easier for us to install.

4) After spunk is installed, open Splunk Web port 8000. Splunkd port 8089 is the management port. After installation, we can access the WEB interface of splunk port 8000 in the browser.

Note: If the external computer cannot access it. Need to close the iptables service or add the port to the policy

#services iptables stop [Other Unix systems shut down the firewall]

systemctl stop firewalld.service [Stop firewall under CentOS 7]

The Splunk address is: http://192.168.199.205:8000. The default administrator to enter spunk is: admin and the password is changeme. The password will be modified by logging in for the first time

Configure spunk boot ./splunk

enable boot-start //In this way, every time the splunk service is started, the

#Check spunk status and version information through the above command./splunk status

#View process-related information: ps -f | grep spluk

IV. Uninstallation of Splunk

./splunk disable boot-start //Close self-start

./splunk stop //stop spunk

./rm–rf/opt/splunk

//Remove the splunk installation directory

Be careful when uninstalling and pay attention to data backup

5. Install Splunk universal forwarder

1), decompress the general-purpose forwarder to the opt directory. The installation method of the Splunk forwarder is the same as that of spunk, but it has no UI interface.

tar zxvf

splumkforwarder-6.4.2-00f5bb3fa822-Linux-x86_64.tgz -C /opt

2) Switch to the bin directory of Splunkforwarder to start the general forwarder

cd /opt/splunkforwarder/bin///Switch to the executable program directory of the general forwarder

./splunk start –accept-license //Start the general forwarder

Note: If the splumk web and the general forwarder are installed on the same server, and the management port of the general forwarder is also 8090, it will be prompted to be occupied by splumk. Select Yes to modify the forwarder management port, as follows:

We can view the port of splunkd through the CLI command

./splunk show splunkd-port //But here you have to enter the account password for splunk login

./splunk set splumkd-port 8091 //Modify the port of splumd to 8091, prompt: Restart takes effect

3) Modify the general forwarder password

Default password: admin/changeme

Modify the password as follows: role is the role and auth is the verification original password

./splunk edit user admin -password 'admin' -role admin -auth admin:changeme

0x02  Install Splunk on Windows

1. Installation preparation:

#Build an NPT server

Configuring the same time

It is recommended to build an NTP server within the enterprise and point all related devices to the server.

#Select user's choice

Local system users, this method is adopted this time

Domain users, more complex, please refer to the documentation

#Installation Environment

This installation is based on Windows 7, 64-bit

It is recommended to deploy in a 64-bit environment

Splunk Enterprise:

splunk-6.4.2-00f5bb3fa822-x64-release.msi

Splunk Universal Repeater :

spunkforwarder-6.4.2-00f5bb3fa822-x64-release.msi

two,

Installation steps: GUI installation is relatively simple, and will not be demonstrated here.

Splunk is installed in "C:\Program by default

Files\Splunk"

After installation, two services will be registered, and their display names are: Splunkd Service, spplunkweb (legacy purposes only)

Start: splunk start

Close: splunk stop

Restart: splunk restart

View status: splunk status

View version: splunk version

Through Windows DOS commands:

net start splunkd

net stop splunkd

Through the service panel (services.msc)

# Check the port command of the splunk web is:

splunk show web-port

III. Uninstall spunk

Stop spunkd according to the explanation above.

Uninstall via the Windows Control Panel Uninstaller.

Four,

Installing the Splunk Universal Forwarder GUI is relatively simple. Choose: Customize Options. You can select SSL certificates as follows.

#The second installer is as follows:

local system : local system user

domain account: domain account

#Select whether to collect log options (Windows

Event logs). Such as: application logs, security logs, system logs, forwarding event logs, and installation logs.

#Select whether to collect Windows

Performance Monitor. Such as: CPU, memory, disk, network status, etc.

#Note: Collecting these logs is Splunk Add-on for Microsoft Windows plug-in, and you can install it in the next step of NEXT.

Since the collected logs are forwarded to the index of winEventlog in splunk enterprise version, but since splunk enterprise version does not create the index, if you need to create it, you either create it manually or install a Splunk APP. Create the index at:

Enter Splunk Web → Settings → Index → New Index

Next step (Receiving Indexer), here is to set up the receiver, that is, to which IP and port the system logs selected above will be forwarded. Since our spluk enterprise version is local, we write localhost here and enable a 10001 port to forward these logs to Splunk entity.

#Next in splunk

Configure reception on enterprise.

Enter Splunk Web → Settings → Forward and Receive → Receive data → Add → Listen to this port: 10001 (the receiving port just set)

# Use the splunk CLI command to view the listening port

splunk display listen

Of course, you can also use the splunk CLI command to increase the listening port.

splunk enable listen 10002

At this time, you can view the data received by the wineventlog index

At this time, the system's own APP (Search Reporting) can use SPL language to search for index events.

#Note: The port conflict between Splunk Enterprise and the general forwarder's management port 8090 will be automatically resolved under Windows.

0x03  Configuration after spunk installation

1. Configure the server name of Splunk

Settings-Server Settings-General Settings

The default is the server host name

It can also be modified via the command line

./splunk set servername server