|
| 1 | +--- |
| 2 | +title: Monitor System Logs with Splunk Universal Forwarder |
| 3 | +linkTitle: UF Deployment |
| 4 | +weight: 7 |
| 5 | +--- |
1 | 6 |
|
| 7 | +**Objective:** Learn how to monitor Linux system logs with the Universal Forwarder sending logs to Splunk Enterprise |
| 8 | + |
| 9 | +**Duration**: 10 Minutes |
| 10 | + |
| 11 | +## Scenario |
| 12 | + |
| 13 | +You've been tasked with monitoring the OS logs of the host running your Kubernetes cluster. We are going to utilize a script that will autodeploy the Splunk Universal Forwarder. You will then configure the Universal Forwarder to send logs to the Splunk Enterprise instance assigned to you. |
| 14 | + |
| 15 | +### 1. Ensure You're in the Correct Directory |
| 16 | + |
| 17 | +- we will need to be in /home/ubuntu/session-2 |
| 18 | + |
| 19 | +``` bash |
| 20 | +cd /home/ubuntu/session-2 |
| 21 | +``` |
| 22 | + |
| 23 | +### 2. Review the Universal Forwarder Install Script |
| 24 | + |
| 25 | +- Let's take a look at the script that will install the Universal Forwarder and Linux TA automatically for you. |
| 26 | + - This script is primarily used for remote instances. |
| 27 | + - Note we are not using a deployment server in this lab, however it is recommended in production we do that. |
| 28 | + - What user are we installing Splunk as? |
| 29 | + |
| 30 | +``` bash |
| 31 | +#!/bin/sh |
| 32 | +# This EXAMPLE script shows how to deploy the Splunk universal forwarder |
| 33 | +# to many remote hosts via ssh and common Unix commands. |
| 34 | +# For "real" use, this script needs ERROR DETECTION AND LOGGING!! |
| 35 | +# --Variables that you must set ----- |
| 36 | +# Set username using by splunkd to run. |
| 37 | + SPLUNK_RUN_USER="splunk" |
| 38 | + |
| 39 | +# Populate this file with a list of hosts that this script should install to, |
| 40 | +# with one host per line. This must be specified in the form that should |
| 41 | +# be used for the ssh login, ie. username@host |
| 42 | +# |
| 43 | +# Example file contents: |
| 44 | + |
| 45 | + |
| 46 | + HOSTS_FILE="myhost.txt" |
| 47 | + |
| 48 | +# This should be a WGET command that was *carefully* copied from splunk.com!! |
| 49 | +# Sign into splunk.com and go to the download page, then look for the wget |
| 50 | +# link near the top of the page (once you have selected your platform) |
| 51 | +# copy and paste your wget command between the "" |
| 52 | + WGET_CMD="wget -O splunkforwarder-9.0.3-dd0128b1f8cd-Linux-x86_64.tgz 'https://download.splunk.com/products/universalforwarder/releases/9.0.3/linux/splunkforwarder-9.0.3-dd0128b1f8cd-Linux-x86_64.tgz'" |
| 53 | +# Set the install file name to the name of the file that wget downloads |
| 54 | +# (the second argument to wget) |
| 55 | + INSTALL_FILE="splunkforwarder-9.0.3-dd0128b1f8cd-Linux-x86_64.tgz" |
| 56 | + |
| 57 | +# After installation, the forwarder will become a deployment client of this |
| 58 | +# host. Specify the host and management (not web) port of the deployment server |
| 59 | +# that will be managing these forwarder instances. |
| 60 | +# Example 1.2.3.4:8089 |
| 61 | +# DEPLOY_SERVER="x.x.x.x:8089" |
| 62 | + |
| 63 | + |
| 64 | + |
| 65 | +# After installation, the forwarder can have additional TA's added to the |
| 66 | +# /app directory please provide the local where TA's will be. |
| 67 | + TA_INSTALL_DIRECTORY="/tmp" |
| 68 | + |
| 69 | +# Set the seed app folder name for deploymentclien.conf |
| 70 | +# DEPLOY_APP_FOLDER_NAME="seed_all_deploymentclient" |
| 71 | +# Set the new Splunk admin password |
| 72 | + PASSWORD="changeme" |
| 73 | + |
| 74 | +REMOTE_SCRIPT_DEPLOY=" |
| 75 | + cd /opt |
| 76 | + sudo $WGET_CMD |
| 77 | + sudo tar xvzf $INSTALL_FILE |
| 78 | + sudo rm $INSTALL_FILE |
| 79 | + sudo useradd $SPLUNK_RUN_USER |
| 80 | + sudo find $TA_INSTALL_DIRECTORY -name '*.tgz' -exec tar xzvf {} --directory /opt/splunkforwarder/etc/apps \; |
| 81 | + sudo chown -R $SPLUNK_RUN_USER:$SPLUNK_RUN_USER /opt/splunkforwarder |
| 82 | + echo \"[user_info] |
| 83 | + USERNAME = admin |
| 84 | + PASSWORD = $PASSWORD\" > /opt/splunkforwarder/etc/system/local/user-seed.conf |
| 85 | + #sudo cp $TA_INSTALL_DIRECTORY/*.tgz /opt/splunkforwader/etc/apps/ |
| 86 | + #sudo find /opt/splunkforwarder/etc/apps/ -name '*.tgz' -exec tar xzvf {} \; |
| 87 | + sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt |
| 88 | + sudo /opt/splunkforwarder/bin/splunk enable boot-start -user $SPLUNK_RUN_USER |
| 89 | + #sudo cp $TA_INSTALL_DIRECTORY/*.tgz /opt/splunkforwarder/etc/apps/ |
| 90 | +
|
| 91 | + exit |
| 92 | + " |
| 93 | + |
| 94 | +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" |
| 95 | + |
| 96 | + |
| 97 | +#=============================================================================================== |
| 98 | + echo "In 5 seconds, will run the following script on each remote host:" |
| 99 | + echo |
| 100 | + echo "====================" |
| 101 | + echo "$REMOTE_SCRIPT_DEPLOY" |
| 102 | + echo "====================" |
| 103 | + echo |
| 104 | + sleep 5 |
| 105 | + echo "Reading host logins from $HOSTS_FILE" |
| 106 | + echo |
| 107 | + echo "Starting." |
| 108 | + for DST in `cat "$DIR/$HOSTS_FILE"`; do |
| 109 | + if [ -z "$DST" ]; then |
| 110 | + continue; |
| 111 | + fi |
| 112 | + echo "---------------------------" |
| 113 | + echo "Installing to $DST" |
| 114 | + echo "Initial UF deployment" |
| 115 | + sudo ssh -t "$DST" "$REMOTE_SCRIPT_DEPLOY" |
| 116 | + done |
| 117 | + echo "---------------------------" |
| 118 | + echo "Done" |
| 119 | + echo "Please use the following app folder name to override deploymentclient.conf options: $DEPLOY_APP_FOLDER_NAME" |
| 120 | + ``` |
| 121 | + |
| 122 | +### 3. Run the install script |
| 123 | + |
| 124 | +We will run the install script now. You will see some Warnings at the end. This is totally normal. |
| 125 | + |
| 126 | +``` bash |
| 127 | +./install.sh |
| 128 | +``` |
| 129 | + |
| 130 | +### 4. Verify installation of the Universal Forwarader |
| 131 | + |
| 132 | +- We need to verify that the Splunk Universal Forwarder is installed and running. |
| 133 | + - You should see a couple PID's return and a "Splunk is currently running." message. |
| 134 | + |
| 135 | +``` bash |
| 136 | +/opt/splunkforwarder/bin/splunk status |
| 137 | +``` |
| 138 | + |
| 139 | +#### 5. Configure the Universal Forwarder to Send Data to Splunk Enterprise. |
| 140 | + |
| 141 | +- We will be able to send the data to our Splunk Enterprise environment easily by entering one line into the cli. |
| 142 | + - [Universal Forwarder Config Guide](https://docs.splunk.com/Documentation/Forwarder/9.0.3/Forwarder/Configuretheuniversalforwarder) |
| 143 | + |
| 144 | +``` bash |
| 145 | +/opt/splunkforwarder/bin/splunk add forward-server <your_splunk_enterprise_ip>:9997 |
| 146 | +``` |
| 147 | + |
| 148 | + |
| 149 | + |
| 150 | +#### 6. Verify the Data in Your Splunk Enterprise Environment |
| 151 | + |
| 152 | +- We are now going to take a look at the Splunk Enterprise environment to verify logs are coming in. |
| 153 | + - Logs will be coming into ```index=main``` |
| 154 | + |
| 155 | +- Open your web browser and navigate to: ```http://<your_splunk_enterprise_ip:8000``` |
| 156 | + - You will use the credentials ```admin:<your_ssh_password>``` |
| 157 | + |
| 158 | +- In the search bar, type in the following: |
| 159 | +- ```index=main host=<your_host_name>``` |
| 160 | + |
| 161 | +- You should see data from your host. Take note of the interesting fields and the different data sources flowing in. |
0 commit comments