Splunk及splunkforward简单部署配置

部署环境

操作系统

服务器操作系统版本：CentOS release 6.5 (Final) 2.6.32-431.el6.x86_64

软件

软件版本：splunk-6.4.0

tar:

splunk-6.4.0-f2c836328108-Linux-x86_64.tgz

splunkforwarder-6.4.0-f2c836328108-Linux-x86_64.tgz

rpm: splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm

splunkforwarder-6.4.0-f2c836328108-linux-2.6-x86_64.rpm

IP地址

splunk服务器Ip地址：192.168.0.156

splunkforwarder服务器地址：192.168.0.140

splunk安装

tar安装

splunk

splunkforwarder

tar xzfv /usr/src/splunkforwarder-6.4.0-f2c836328108-Linux-x86_64.tgz -C /usr/local/

echo “export PATH=/usr/local/splunkforwarder/bin:$PATH” >> /etc/profile

source /etc/profile

rpm安装

splunk

splunkforwarder

rpm -ivh /usr/src/splunkforwarder-6.4.0-f2c836328108-linux-2.6-x86_64.rpm

echo “export PATH=/opt/splunkforwarder/bin:$PATH” >> /etc/profile

source /etc/profile

启动关闭

启动：splunk start

关闭：splunk stop

重启：splunk restart

设置开机启动

splunk enable boot-start

更改web端口及管理端口

l  splunk set splunkd-port 9998

l  splunk set web-port 80

配置

基本配置文件

splunk

$SPLUNK_HOME/etc/system/local/inputs.conf

$SPLUNK_HOME/etc/system/local/server.conf

$SPLUNK_HOME/etc/system/local/web

splunkforward

$SPLUNK_HOME/etc/system/local/inputs.conf

$SPLUNK_HOME/etc/system/local/outputs.conf

$SPLUNK_HOME/etc/system/local/server.conf

splunk

inputs.conf

[default]

host = 192.168.0.156

index = _internal

[splunktcp:///9997]

server.conf

[general]

serverName = 192.168.0.156

sessionTimeout = 1h

web

[settings]

startwebserver = 1

httpport = 80

mgmtHostPort = 127.0.0.1:8089

splunkforwarder

inputs.conf

[default]

index         = _internal

host = 192.168.0.140

[monitor:///var/log/maillog]

[monitor:///usr/local/tomcat-7.0.67/logs/catalina.out]

[monitor:///usr/local/jboss-5.1.0.GA/server/default/log/server.log]

sourcetype = log4j

outputs.conf

[tcpout]

defaultGroup=my_server

[tcpout:my_server]

server=192.168.0.156:9997

[tcpout-server://192.168.0.156:9997]

server.conf

[general]

serverName = 192.168.0.140

sessionTimeout = 1h

破解

破解splunk导入数据500M限制

cd $ SPLUNK_HOME

vim lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/licensing.py

if action == 'add' and not pool_object.quota_bytes['byte_value']:

quota_value = max(0, int(unallocated_bytes / 2**20))

quota_value = quota_value * 1024 * 1024

else:

quota_value = (pool_object.quota_bytes['byte_value'] or 0) / 2**20

quota_value = quota_value * 1024 * 1024

#quota_units = 'MB'

quota_units = 'TB'

mv lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/licensing.pyo /root

splunk restart

更改许可证

改为：Free许可证组

Web方式(使用浏览器访问http://plunk_server_ip:8000)

设置》授权》更改许可证组

选 Free 许可证

重启splunk

如下转载

数据源配置

主机日志

使用Syslog服务

Linux主机/防火墙/交换机

Linux/vpn网关/防火墙/交换机等支持udp/tcp日志传输的设备就直接使用udp/tcp传输的方式把日志传到splunk服务器

操作步骤：

splunk监听端口

在splunk上启用接受日志的监听端口

tcp: 514端口

udp:514端口

web方式:

添加数据>>syslog>>UDP>>新增

填514端口

如果使用tcp，操作同udp方式

Linux/vpn网关/防火墙/交换机等配置发送日志到splunk服务器

以Linux为示例：

配置Linux中的rsyslog服务

# vim /etc/rsyslog.conf

*.* @192.168.3.70:514               #udp模式

重启rsyslog

# service rsyslog restart

应用日志

依赖splunk universal forwarder

WebLogic和oracle日志