🚀 DevOps & SRE Certification Program 📅 Starting: 1st of Every Month 🤝 +91 8409492687 🔍 Contact@DevOpsSchool.com

Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Uncategorised

Splunk Tutorial: Install & Configure Universal Forwarders

June 27, 2022 Leave a Comment
Download File URL - https://download.splunk.com/products/splunk/releases/9.0.1/linux/splunk-9.0.1-82c987350fde-Linux-x86_64.tgz
Splunk Linux Tar file - wget -O splunk-9.0.1-82c987350fde-Linux-x86_64.tgz "https://download.splunk.com/products/splunk/releases/9.0.1/linux/splunk-9.0.1-82c987350fde-Linux-x86_64.tgz"
Splunk Linux rpm file - wget -O splunk-9.0.1-82c987350fde-linux-2.6-x86_64.rpm "https://download.splunk.com/products/splunk/releases/9.0.1/linux/splunk-9.0.1-82c987350fde-linux-2.6-x86_64.rpm"
Splunk Linux Debian file - wget -O splunk-9.0.1-82c987350fde-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/9.0.1/linux/splunk-9.0.1-82c987350fde-linux-2.6-amd64.deb"
Splunk Linux Windows file - wget -O splunk-9.0.1-82c987350fde-x64-release.msi "https://download.splunk.com/products/splunk/releases/9.0.1/windows/splunk-9.0.1-82c987350fde-x64-release.msi"
Splunk Universal Forwarder
MSI file
$ wget -O splunkforwarder-9.0.1-82c987350fde-x64-release.msi "https://download.splunk.com/products/universalforwarder/releases/9.0.1/windows/splunkforwarder-9.0.1-82c987350fde-x64-release.msi"
Linux tar file
$ wget -O splunkforwarder-9.0.1-82c987350fde-Linux-x86_64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.0.1/linux/splunkforwarder-9.0.1-82c987350fde-Linux-x86_64.tgz"
PORTS SPECIFICATIOON OF SPLUNK SERER
-----------------------------------------
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Setting up a Forwarders
Pre-Requisite to add forwarders
----------------------------------
1. Settings => Monitoring console => Setting => Forwarder Monitoring Setup => Forwarder Monitoring (ENABLE with 15 mins)
2. Settings => Forwarding and Recieving => Receive data => Add New ==> Listen on this port (For example, 9997 will receive data on TCP port 9997)
3. Restart a Splunk Instance
Settings => Server Controls => Restart Splunk
# Make sure in Fireall (Port should be enabled or Firewall
# Make sure in Fireall (Port should be enabled or Firewall
==============================================
$ cd /opt/
$ wget wget -O splunkforwarder-7.2.5-088f49762779-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.5&product=universalforwarder&filename=splunkforwarder-7.2.5-088f49762779-Linux-x86_64.tgz&wget=true'
$ tar -zxvf splunkforwarder-7.2.5-088f49762779-Linux-x86_64.tgz
$ cd /opt/splunk-dir/bin/
3. cd /opt/splunkforwarder/bin
./splunk start
./splunk stop
./splunk restart
./splunk help
4. sudo ./splunk start --accept-license
5. sudo ./splunk enable boot-start
==============HOSTED==============
sudo ./splunk add forward-server X.X.X.X:9997
OR sudo ./splunk add forward-server X.X.X.X:9997 -auth admin:goodpass
sudo ./splunk list forward-server
sudo ./splunk list monitor
sudo ./splunk add monitor /var/log
sudo ./splunk list monitor
sudo ./splunk list forward-server
sudo ./splunk restart
sudo ./splunk list forward-server
C:\Program Files\SplunkUniversalForwarder\etc\system\local
Filename - outputs.conf
==============CLOUD==============
6. sudo ./splunk edit user admin -password goodpassword -role admin -auth admin:changeme
7. sudo ./splunk install app /opt/splunkforwarder/splunkclouduf.spl -auth admin:goodpassword
8. sudo ./splunk restart
9. sudo ./splunk add monitor -auth admin:goodpassword /opt/log/www1
========== In Splunk Web Servers=============================
1. Go to "Settings" and click on "Monitoring console"
2. On the Second Top Menu --
Click on the "Forwarders Deployment" and Visualize
Click on the "Forwarders Instance" and Visualize
3. Run a Search
=====================Forwarders Troubleshooting========================
========== In Forwarders Servers=============================
bin> sudo ./splunk list forward-server
bin> netstat -a | grep 9997
========== In Splunk Web Servers=============================
> netstat -a
# Check firewall setting as well
# Add execption forwarders ports
# Make sure in Fireall (Port should be enabled or Firewall
=================================================
sudo ./splunk start --accept-license
=================================================
# On branch master
# Changes not staged for commit:
# (use "git add/rm <file>..." to update what will be committed)
# (use "git checkout -- <file>..." to discard changes in working directory)
#
# deleted: ../ftr
#
# Untracked files:
# (use "git add <file>..." to include in what will be committed)
#
# ../etc/apps/learned/local/
# ../etc/apps/learned/metadata/local.meta
# ../etc/auth/ca.pem
# ../etc/auth/ca.srl
# ../etc/auth/cacert.pem
# ../etc/auth/server.pem
# ../etc/auth/splunk.secret
# ../etc/instance.cfg
# ../etc/myinstall/splunkd.xml
# ../etc/passwd
# ../etc/splunk-launch.conf
# ../etc/system/local/inputs.conf
# ../etc/system/local/server.conf
# ../etc/system/metadata/local.meta
# ../var/
=================================================
sudo ./splunk add forward-server 13.234.32.244:9997 -auth admin:admin123
=================================================
[root@ip-172-31-19-160 bin]# sudo ./splunk add forward-server 13.234.32.244:9997 -auth admin:admin123
Added forwarding to: 13.234.32.244:9997.
[root@ip-172-31-19-160 bin]# git status
# On branch master
# Changes not staged for commit:
# (use "git add <file>..." to update what will be committed)
# (use "git checkout -- <file>..." to discard changes in working directory)
#
# modified: ../etc/system/metadata/local.meta
# modified: ../var/log/splunk/audit.log
# modified: ../var/log/splunk/health.log
# modified: ../var/log/splunk/metrics.log
# modified: ../var/log/splunk/splunkd.log
# modified: ../var/log/splunk/splunkd_access.log
#
# Untracked files:
# (use "git add <file>..." to include in what will be committed)
#
# ../etc/login-info.cfg
# ../etc/system/local/outputs.conf
no changes added to commit (use "git add" and/or "git commit -a")
----------------------------------------
[root@ip-172-31-19-160 bin]# more ../etc/system/local/outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 13.234.32.244:9997
[tcpout-server://13.234.32.244:9997]
view raw splunk-Universal-Forwarders.txt hosted with ❤ by GitHub
Subscribe
Notify of
guest


0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x