Tuesday, 2 July 2013

How to install Splunk log analyser in Debian

Splunk indexer

Installation

  1. Get the Debian package from
    http://www.splunk.com/download?ac=get_splunk_download
  2. Install it with a root user
    dpkg -i splunk_package_name.deb
  3. Start the server
    /opt/splunk/bin/splunk start --accept-license

Launch the web application

In an internet browser, access the Splunk web-application at http://<hostname>:<port>
  • <hostname> is the host server name or IP.
  • <port> is the port you specified during the installation (the default port is 8000)
The web prompts you the login page (default username "admin" and password "changeme"), after that you need to change the admin password.

Configuration

Add local data

  1. Go to "Manager » Data inputs » Files & directories"
  2. Click on "New" button
  3. Choose the log file and follow the wizard

Receive data

  1. Go to "Manager » Forwarding and receiving » Receive data"
  2. Click on "New" button
  3. Choose the server port (where the indexer will receive the logs from the forwarders)
  4. Restart Splunk server
Note: contact HelpDesk to open the ports between the indexer and forwarders.

Splunk forwarder

Installation

  1. Get the Debian package from
    http://www.splunk.com/download/universalforwarder
  2. Install it with a root user
    dpkg -i splunk_package_name.deb
  3. Start it
    /opt/splunkforwarder/bin/splunk start --accept-license

Configuration

  1. Configure universal forwarder to auto-start
    /opt/splunkforwarder/bin/splunk enable boot-start
  2. Configure the universal forwarder to forward the log files to a specific receiver indexer
    /opt/splunkforwarder/bin/splunk add forward-server <host>:<port> -auth <username>:<local-password>
    Where:
    • <host> is the receiving indexer's hostname or IP address and <port> is the port it's listening on. By convention, the receiver listens for forwarders on port 9997, but it can be set to listen on any port, so you'll need to check with the receiver's administrator to obtain the port number. For information on setting up a receiver, see "Enable a receiver".
    • <username>:<password> is the username and password for logging into the Splunk forwarder. By default, these are "admin:changeme" (To set a different password than the default , issue the following command "splunk edit user admin -password <new password> -role admin -auth admin:changeme").
  3. Add the data to be forwarder
    • Edit "inputs.conf"
      cd /opt/splunkforwarder/etc/system/local/
      nano inputs.conf
    • Include the content below
      [monitor:///opt/hybris/log/tomcat/console-*.log]
      disabled = false
      ignoreOlderThan = 3d
      sourcetype = <project-name>
      Where:
      ignoreOlderThan: the input monitor stop checking files for updates if the time passed the 3 days.
    • Restart the Splunk forwarder
      /opt/splunkforwarder/bin/splunk restart
    • Check the Splunk log file
      less /opt/splunkforwarder/var/log/splunk/splunkd.log
 Note: to see more configuration options, check it here -> http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Editinputs.conf
Posted by at
Labels: ,
Location: Arabellapark, 81925 Munich, Germany

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)