One 、 A brief overview
splunk Support a variety of data sources , Support to upload files , Monitoring local files , Configure general forwarder and other methods . Basically, all settings can be set through Web page 、splunk CLI Command and directly modify the configuration file ( Need to restart splunk take effect ) Three ways .
The two most common scenarios , For example, collection. syslog Logging and using a universal forwarder (Agent) collecting data , Let's do a simple application example .
Two 、 Application example : collect syslog journal
2.1、Linux rsyslog Client configuration
(1)rsyslog install
yum install rsyslog
(2) Enable UDP transmitted
vim /etc/rsyslog.conf
# Provides TCP syslog reception # If enabled TCP transmitted , Then cancel the comments in the following two lines $ModLoad imtcp $InputTCPServerRun 514
*.* @@192.168.44.130:514
(3) restart rsyslog service
systemctl restart rsyslog
2.2、Splunk TCP Listening to the configuration
(1) Visit the home page in turn --> Add data --> monitor -->TCP/UDP, choice TCP, Confirm port , Click next .
(2) Select the source type , Confirm the host and index , Click to check .
(3) After checking and confirming , Click on the submit .
(4) It's done here TCP Creation of listening port , Click Start Search , You can find linux Transmitted from the client syslog data .
3、 ... and 、 Application example : Use a universal forwarder to collect agent journal
3.1 To configure Splunk Receive port
(1) Set up --> Forward and receive --> Configure receive , New receiving port
3.1 Use Windows Configure universal forwarder
(1) double-click msi File to install
(2) Configure the universal forwarder to deploy clients .
(3) Configure the receiving server port
(4) Click on install, Until the installation is complete .
(5) Set up --> Transponder management , You can see the online clients .
(6) Set up --> data input , choice Windows The event log , Create a new remote server Windows The event log
(7) Choose the source , Select event log .
(8) Choose the index , Or create a new index .
(9) Submit after inspection .
(10) Finish adding data .
(9) Click Start Search , Successful acquisition Windows The event log .
