Enable some monitors on the box:Some common services and log locations to get you started…Īpache2 HTTPd sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/apache2 -index main -sourcetype Apache2 Tomcat7 sudo /opt/splunkforwarder/bin/splunk add monitor /opt/tomcat7/logs -index main -sourcetype Tomcat7 MySQL sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mysql -index main -sourcetype MySQL Postfix (SMTP) sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mail.log -index main -sourcetype Postfix Squid3 (Proxy) sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/squid/access.log -index main -sourcetype Squid3 sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/squid/cache.log -index main -sourcetype Squid3.Remember – the forwarder is a new ‘light’ installation of the server and as such has it’s own users! NOTE: if you get prompted for a splunk username/password you likely skipped the above step. Set the server: sudo /opt/splunkforwarder/bin/splunk add forward-server YOUR_SERVER_ADDRESS:9997.Sudo /opt/splunkforwarder/bin/splunk edit user admin -password YOUR_NEW_PASSWORD -auth admin:changeme The default ‘ admin‘ password is ‘ changeme‘ so we need to change it immediately to do anything else, or we will see errors in future steps. Start the server: sudo service splunk start.Enable auto-start on reboot: cd /opt/splunkforwarder/bin/.Download, you’ll likely need a different version: sudo dpkg -i splunkforwarder-6.1.uname -aIf you see i686 you are 32 bit, if x86_64 you are 64 bit! Check to see if you are running 32 or 64 bit OS.Download the system appropriate installer from:.Of course, you’ll need a Splunk server installed first, as the forwarder is really just another (lighter) instance that will forward the log information to a central location. ![]() Recently I’ve migrated to Splunk as there are both Enterprise and Free versions available. There are several tools available that can provide the same information in a graphical manner. The universal forwarder automatically starts.įrom Windows Control Panel, confirm that the SplunkForwarder service runs.After a while it can get tedious to access and review server logs via the command line. The installer runs and displays the Installation Completed dialog box. In the Receiving Indexer pane, leave it empty for the receiving indexer that you want the universal forwarder to send data to and click Next.Ĭlick Install to proceed with the installation. In the Deployment Server pane, enter management port 8089 for the deployment server that you want the universal forwarder to connect to and click Next. Do at least one of the following two steps:.Check Generate random password to let Splunk generate a password for you. (Optional) Select one or more Windows inputs from the list and click Next.Ĭreate a username and password for your Universal Forwarder administrator account. See "Install as a low-privilege user" for information about securing your system when installing as a local user. Do not specify any parameters.Īs a best practice, run the Universal Forwarder as the Local System user and click Next. On the Certificate Information page, click Next as a best practice. (Optional) In the Destination Folder dialog box, click Change to specify a different installation directory. To change any of the default installation settings, click the "Customize Options" button.Select the Check this box to accept the License Agreement check box and the check box for either Splunk Enterprise or Splunk Cloud. ![]() The first screen of the installer should pop-up. Install a Windows universal forwarder from an installerĭouble-click the MSI file to start the installation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |