![]() ![]() ![]() In order to begin the data collection and forwarding process, you must install a universal forwarder on every Windows host that you to send data.Īs Microsoft Exchange runs only on Windows, you can only install Windows universal forwarders.įor detailed procedures on installing a universal forwarder on a Windows host, see Install the universal forwarder onto the Windows host in the Universal Forwarder manual. You then forward this data to the Splunk indexer, which indexes and stores the data and makes it available for the Splunk App for Microsoft Exchange. In this application, you install universal forwarder on a Windows host to collect the data it contains. This allows for fast collection and dispatching of data with little impact on system and network resources. Unlike full Splunk Enterprise, the universal forwarder has extremely limited capability to transform or change the data it collects in any way. The universal forwarder is a version of Splunk Enterprise whose only purpose is to collect data from a host and send it somewhere else. Installing and configuring a universal forwarder on each Windows host in your environment is the first step toward getting data into the indexer that you set up earlier. The Splunk Add-on for Unix and Linux does this for you, with several canned scripts and corresponding sourcetypes available.Install a universal forwarder on each Windows host In addition to grabbing your existing logs, Splunk can periodically run arbitrary commands and aggregate the output from them. Splunk users are super helpful! You can shoot an email to the Splunk mailing list! I won't claim to be an expert, but you can always hit me (Jeremy) up on jabber directly (jnt6) and I'll see what I can do. Poking around in there can help you track down issues - sometimes. Splunk itself logs in /opt/splunkforwarder/var/log/splunk. You could use wireshark or tcpdump to check this out. Make sure your system is actually trying to send data to the indexers. ![]() Note that you have to specify an index! You might want to just start off with the most basic query: "index=*" - that should return some results! You should probably check your search head to see if you're getting any data. You can do lots of other fun things with the CLI, too! My first search You want to see something like: Active forwards: :9997 (ssl) Next, you should get your SSL certs in place. Most distributions will utilize either the RPM or the DEB, but they also have a tarball if you're doing something more esoteric (for example: we have some systems with unwritable /opt filesystems, so we had to build custom packages using the tarball to accommodate this). Installing the forwarder itself is easy: you can download the Universal Forwarder from the Splunk web site. A URL which you actually use to hit your search head and do searches.An SSL password, used to decrypt your SSL cert.A splunk client certificate, used to authenticate your client against the indexer.An SSL CA certificate, used by your client to verify connections to the Splunk indexer.It is possible to have multiple indexes for your instance, but initially you'll start with a single index (if you need more later on, you should submit a ticket and request them) an " index" to use, which usually corresponds to your department's name.the splunk indexer server:port combination this is what the forwarder will connect to.When you have your departmental instance created, you will be provided with the following information, which you must use to configure your forwarders: If you have your own group which you will use to control access, refer to that group in your ticket. Access to your Splunk instance is governed by grouper groups (or, I guess, group manager groups?). If you don't have one yet, submit a ticket to the OIT help desk asking for a departmental Splunk instance. In the simplest case, this is probably the search app, which is all this document discusses.īefore you can use Splunk, you need to have that departmental instance. Apps: "bundles" of Splunk configuration.Departmental Splunk instance: this isn't a Splunk term per se, but it's how I refer to the bundle of things that make up the Splunk environment that OIT "gives" my department.Search head: I think of this as the "front end" Splunk server, which is in charge of actually running your queries.Indexer: I think of this as a Splunk "server" - it ingests the data you send and "indexes" it.It can run directly on most general purpose OSes, and it is responsible for gathering data and sending it on to the indexer Universal Forwarder: I think of this as the "Splunk client".Splunk has its own set of terminology here are some useful things to know about: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |