Splunk Server Setup and Configuration

Installation Of Splunk Server

Configure Splunk server on 192.168.10.209
1. Download latest splunk.tar.gz from http://www.splunk.com/download?r=header
2. copy download files to /opt
3. untar the downloaded splunk file

# cd /opt
# tar -xzvf splunk-4.0.8-73243-Linux-i686.tgz
# cd splunk/bin/
# ./splunk start

Accecpt the agreement and default settings.

4. Open the splunk webUI (http://localhost:8000)
5. Use the default username password to login i.e. admin/changeme

#### Setup splunk as a Reciever #####
1. Login to WebUI using the above mentioned credentionals. eg. http://192.168.10.209:8000
2. Go to Manager » Forwarding and receiving » Receive data
3. Click on New Button and add default port i.e. 9997
4. Click on save button to save the settings.
Now Splunk server has been setup as reciever on port 9997.

Note: If you are running any firewall please allow the above Port.

####### Setup Splunk as a Forwarder ####
IP Add of forwarder machine: 192.168.10.225
IP Add for Reciever server: 192.168.10.209

You have the following preconfigured forwarder choices:
* Splunk forwarder
* Splunk light forwarder
1. ssh to forwarder machine(whom to be monitored) eg. ssh ramesh@192.168.10.225
2. Use the above mentioned installation steps to install splunk on client machine
3.

 # cd /opt/splunk/bin 
# ./splunk enable app SplunkLightForwarder -auth admin
# ./splunk add forward-server reciever_serverip:port -auth admin
eg.  ./splunk add forward-server 192.168.10.209:9997 -auth admin  
# ./splunk restart

######## Setup Splunk Alerts #########
NOTE: We assume that splunk server has been installed on a Linux Box.

1. Login to Splunk server (http://192.168.10.209:8000)
2. Go to App >> Search
3. Click on /var/log/secure under source section
Above will show the whole data of secure file
4. Click on the string/strings that you want to search or setup alert. Eg. “Accepted Password”

It will look like source=”/var/log/secure” “Accepted Password” in search box.

5. Then go to Action >> Save Search
It will pop-up a window.
6. Name – SSH Access Authenticated
Search – will be coming default that we search earlier.
Description – It can be anything you like.
Check on Schedule this search
Schedule Type – Basic
Run Every – Minute
Alert Condition
Perform actions (optional) – if no. of events – is greater than – 0
Alert Action
check on send Email
Email Addresses: abc@abc.com,xyz@xyz.com

Click on save Button to save your Alert.

To verify Your alert setup go to
Manager » Searches and reports >> SSH Access Authenticated

HAPPY ALERTING.. 🙂

  • Joseph

    to check the status of the splunk on any of server,if its running or not please use the following commands

    cd /opt/splunk/bin
    ./splunk display app all

    it will prompt you for username/password use the defaut one(admin/changeme) if u have not changed them at the time of installation.

  • Koacervate

    thank!

I'm happy to use Increase Sociability.