Splunk Cisco Notes

28/02/2019 Splunk Cisco Notes - Google Docs
https://www.splunk.com/page/previous_releases#x86_64linux

Redhat 7.3 iso link :
https://drive.google.com/open?id=0B9ZGwX0D1ZA1UmJFWEYyamRMLTQ

Splunk package :

https://www.splunk.com/page/download_track?file=6.6.3/linux/splunk6.6.3e21ee54bc796linux
2.6x86_64.rpm&platform=Linux&architecture=x86_64&version=6.6.3&product=splunk&typed=r
elease&name=linux_installer

https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 1/16

# scp splunk.66…....rpm root@192.168.56.101:/root/Desktop

[root@localhost ~]# ls
[root@localhost ~]# cd Desktop/
[root@localhost Desktop]# ls
splunk6.6.3e21ee54bc796linux2.6x86_64.rpm
[root@localhost Desktop]# rpm ivh splunk6.6.3e21ee54bc796linux2.6x86_64.rpm

Splunk Home directory :
[root@localhost Desktop]# cd /opt/splunk/

[root@localhost splunk]# cd bin/
[root@localhost bin]# pwd
/opt/splunk/bin

[root@localhost bin]# ./splunk start
q
y


Firewall flushing:
# iptables F

Windows browser :
Url : yourip:8000

Url: 192.168.56.101:8000

Configure yum (package manager ):

# mkdir /rhel
# mount /dev/cdrom /rhel

[root@localhost ~]# cd /etc/yum.repos.d/

[root@localhost yum.repos.d]# vi vimal.repo
I

[mysoftware]
baseurl=file:///rhel
gpgcheck=0

Esc
:wq

Configure apache web server :

Step 1 : install web server
# yum install httpd

Step 2: host or copy web page into your server
# cd /var/www/html/
# vi index.html

Step 3: start web server :
# systemctl restart httpd

Log file :
# cd /var/log/httpd
# cat access_log

# while :
do
curl http://192.168.56.101/vimal.html
done

Data input : source type : “access_combined” for apache web server

SPL : index=web | stats sum(bytes) BY clientip

# netstat tnlp | grep 1111

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf

Line 217:
CustomLog "| /usr/bin/logger p local6.info" combined


Custom syslog :
[root@localhost ~]# vim /etc/rsyslog.conf

local6.info /var/log/mycustom

[root@localhost ~]# systemctl restart rsyslog

[root@localhost ~]# logger p local6.info "hiii hello"

[root@localhost ~]# cat /var/log/mycustom

[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive

[root@localhost ~]# systemctl restart httpd

[root@localhost ~]# vim /etc/rsyslog.conf
local6.info @@192.168.56.101:1111

# tcpdump i enp0s3 n X w mypass.txt
# tcpdump r mypass.txt n X > my.txt

[root@localhost local]# pwd
/opt/splunk/etc/system/local
[root@localhost local]# cat web.conf
[settings]
enableSplunkWebSSL = 1

/opt/splunk/bin/splunk restart

=> index and data input :
# cd /opt/splunk/etc/apps/search/local

/opt/splunk/var/lib/splunk/vimal/db/hot_v1_0/rawdata

Index store : (splunk data home) :
/opt/splunk/var/lib/splunk

/opt/splunk/etc/apps/search/local
[root@localhost local]# cat indexes.conf

[myindex123]
coldPath = $SPLUNK_DB/myindex123/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/myindex123/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/myindex123/thaweddb

[root@localhost local]# cat inputs.conf

[monitor:///root/Desktop/my.txt]
disabled = false
index = myindex123
sourcetype = myst_123

[root@localhost local]# /opt/splunk/bin/splunk restart

# /opt/splunk/bin/splunk enable bootstart

Field extraction:
(?P<xyz>(?i)virus|terror)

# nc splunk_ip port


# rpm q postfix
# systemctl restart postfix


index=web clientip="192.168.56.1" | stats count

index=web | table clientip | dedup clientip | stats count

index=web | table clientip status method bytes | eval remarks=if(status=="200","ok","not
ok") | fields status

index=web | fields clientip , bytes

index="_internal" source="/opt/splunk/var/log/splunk/license_usage.log"

index="_internal" | table status method bytes | fillnull value=NULL status | eval
remarks=if(status!="NULL","ok","not ok")

index=web | table clientip method bytes | replace GET WITH DOWNLOAD in method

index=web | table clientip method bytes | rename clientip AS src_ip |replace GET WITH
DOWNLOAD in method

index=web | stats sum(bytes) AS SUM, max(bytes) AS MAX, min(bytes) AS MIN, avg(bytes)
AS AVG by clientip

index=web | chart sum(bytes) AS SUM, max(bytes) AS MAX, min(bytes) AS MIN, avg(bytes)
AS AVG by clientip

index=_internal | chart sum(bytes) by clientip,method

index=web | where bytes > 30

index=web | timechart count by client

index=_internal | timechart span=1s count by client

index=web | table _raw | rename _raw AS RAW | rex field=RAW "\[(?P<mydate>.*)]"

index=web | rex field=_raw mode=sed "s/GET/vimal/"

http://docs.splunk.com/Documentation/Splunk/6.6.3/SearchReference/Fields


Sub search :

index=web [ search index=web | table clientip | dedup clientip | head 1 ] | stats sum(bytes)


https://www.splunk.com/page/download_track?file=6.6.3/linux/splunkforwarder6.6.3e21ee54bc
796linux2.6x86_64.rpm&platform=Linux&architecture=x86_64&version=6.6.3&product=univer
salforwarder&typed=release&name=linux_installer

Splunk Universal Forwarders :

[root@master ~]# cd Downloads/

[root@master Downloads]# rpm ivh
splunkforwarder6.6.3e21ee54bc796linux2.6x86_64.rpm
Splunk agent home dir :
# Cd /opt/splunkforwarder

[root@master splunkforwarder]# cd bin/

[root@master bin]# ./splunk start

q
y

[root@master bin]# netstat tnlp | grep splunk

[root@master bin]# ./splunk list forwardserver

[root@master bin]# ./splunk add forwardserver 192.168.56.101:9997

[root@master bin]# vim /etc/httpd/conf/httpd.conf
#CustomLog "| /usr/bin/logger p local6.info" combined
CustomLog "logs/access_log" common

[root@master bin]# setenforce 0

[root@master bin]# systemctl restart httpd

[root@master bin]# curl 127.0.0.1/pop.html

[root@master bin]# cat /var/log/httpd/access_log

[root@master bin]# ./splunk add monitor /var/log/httpd/access_log sourcetype
access_combined index rindex

http://dev.splunk.com/sdks

# curl k u admin:redhat https://192.168.56.101:8es/search/jobs d "search=search
index=net xyz=terror | stats count"

# curl k u admin:redhat
https://192.168.56.101:8089/services/search/jobs/1507960844.50/results

# curl k u admin:redhat https://192.168.56.101:8089/services/search/jobs d
'search=search index=net'

https://192.168.56.101:8089/services/search/jobs/1507959622.23/results get

https://192.168.56.101:8089/services/search/jobs/1507959622.23/results get d
output_mode=csv

https://github.com/vimallinuxworld13/splunknodeproxydashboard

http://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing


Splunk Cisco Notes

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Splunk Cisco Notes

Încărcat de

Drepturi de autor:

Formate disponibile

28/02/2019 Splunk Cisco Notes - Google Docs

S-ar putea să vă placă și