Upload files to "6 SIEMs/Splunk"

6 SIEMs/Splunk/6.0splunkinfo.md

@@ -0,0 +1,10 @@
+### [Storage Requirements](https://docs.splunk.com/Documentation/Splunk/9.3.0/Capacity/HowSplunkcalculatesdiskstorage)
+
+```
+ ( Daily average indexing rate ) x ( retention policy ) x 1/2
+```
+
+ #### [Parts of distributed splunk](https://docs.splunk.com/Documentation/Splunk/9.3.0/Capacity/Distributeindexingandsearching)
+ - more indexers increase I/O capacity on disks
+
+ #### [Capacity Planning](https://docs.splunk.com/Documentation/Splunk/9.3.0/Capacity/Accommodatemanysimultaneoussearches)

6 SIEMs/Splunk/6.1SplunkDistributed.md

@@ -0,0 +1,128 @@
+## OVERVIEW
+- 3 search heads
+    - 1 captain to manage the search heads and is one of them
+- 3 indexers
+- 1 main node # to connect the indexers is seperate
+- 1 deployer
+
+- 8 Machines total
+
+### ESXI CONFIG
+splunk_search_head_# or splunk_indexer_#  
+8 cores  
+16 gb ram  
+3 TB thin provision 
+Add iso 20 Ubuntu desktop to iso
+
+
+
+### Initial Install ubuntu  
+Continue  
+Minimal  
+Continue  
+Erase  
+Install now  
+Continue  
+Continue  
+  
+```
+Spadmin  
+searchhead# or indexer#  
+STANDARD  
+login auto  
+```
+
+Continue  
+  
+Restart now  
+Shutdown  
+Remove iso  
+  
+Quit live patch  
+Set IP  
+identity  
+	name: splunk  
+Ipv4  
+	Ipv4 method: manual  
+	10.2.25.x 255.255.255.0 10.2.25.1  
+Ipv6 - disable  
+  
+Display - 1920x1080  
+Add terminal to favorites  
+  
+### BROWSER    
+Login to ESXI  
+Download splunk from data store  
+
+```
+sudo useradd splunk -s /bin/false -l  
+sudo passwd splunk  
+cd Downloads  
+sudo mv splunk.tgz /opt  
+cd /opt  
+sudo tar -xvf splunk.tgz  
+cd splunk/bin
+sudo -u splunk ./splunk --accept-license
+spadmin  
+STANDARD  
+STANDARD 
+sudo ./splunk enable boot-start -user splunk  
+```
+
+### Create this on splunk
+```
+#!/bin/bash
+
+#save to /opt/splunkmotd.sh
+
+#start up file for splunk
+IP=$(ip a | grep "10.2." | awk '{print $2}' | cut -c -10)
+echo "Your IP is $IP"
+echo "run"
+echo "sudo /opt/splunk/bin/splunk status"
+
+#ad full path to bottom of .bashrc to have these commands pop up every time a terminal is opened.
+```
+
+### BROWSER  
+login  
+Settings  
+server settings  
+General settings  
+Enable SSL: yes  
+Web port: 8000 -> 443  
+Save  
+Global banner  
+Got it  
+searchhead# or indexer#  
+Indexer - blue  
+Search head - green  
+Main node - orange  
+save  
+Server controls  
+Restart splunk  
+  
+  
+  
+enable to add all parts to cluster go to index clustering  
+settings # in top right
+	index clustering  
+	enable indexer clustering
+  
+## MAIN NODE  
+- main node  
+- set ip to 9000
+- replication factor: 1
+- serach factor: 1
+- pass: STANDARD
+- cluster label: dist_splunk
+## INDEXER  
+- peer node
+- manager uri: main node https://IP:8089
+- pass: STANDARD
+
+## SEARCH HEAD
+- search head node
+- manager uri: main node https://IP:8089
+- pass: STANDARD
+

6 SIEMs/Splunk/6.2loadbalancer.md

@@ -0,0 +1,31 @@
+Create Ubuntu VM for where IP will be directed to
+
+```
+sudo apt install haproxy
+```
+
+```
+sudo vi /etc/haproxy/haproxy.cfg
+```
+bottom of file
+```
+#--------------------
+# Custom Input
+#--------------------
+
+frontend loadbalancer
+ bind 10.2.25.69:8000 #change IP
+ mode http
+ default_backend searchheads #this will connect to below
+
+backend searchheads
+ balance roundrobin
+ cookie server insert indirect nocache
+ server searchhead1 10.2.25.73:8000 check cookie searchhead1 #change IP
+ server searchhead2 10.2.25.74:8000 check cookie searchhead2 #change IP
+ server searchhead3 10.2.25.75:8000 check cookie searchhead3 #change IP
+```
+
+```
+systemctl restart haproxy
+```

6 SIEMs/Splunk/6.3searchheadcluster.md

@@ -0,0 +1,25 @@
+# search head 1
+
+```
+splunk init shcluster-config -auth admin:changed -mgmt_uri https://sh1.example.com:8089/ -replication_port 34567 -replication_factor 2 -conf_deploy_fetch_url https://10.160.31.200:8089/ -secret mykey -shcluster_label shcluster1
+```
+
+# search head 2
+
+```
+splunk init shcluster-config -auth admin:changed -mgmt_uri https://sh1.example.com:8089/ -replication_port 34567 -replication_factor 2 -conf_deploy_fetch_url https://10.160.31.200:8089/ -secret mykey -shcluster_label shcluster1
+```
+
+# search head 3
+
+```
+splunk init shcluster-config -auth admin:changed -mgmt_uri https://sh1.example.com:8089/ -replication_port 34567 -replication_factor 2 -conf_deploy_fetch_url https://10.160.31.200:8089/ -secret mykey -shcluster_label shcluster1
+```
+
+# search head 1 captain
+
+```
+splunk bootstrap shcluster-captain -servers_list "https://sh1.example.com:8089,https://sh2.example.com:8089,https://sh3.example.com:8089,https://sh4.example.com:8089" -auth admin:changed
+```
+
+# captain status

6 SIEMs/Splunk/6.4SplunkUFsetupLinux.txt

@@ -0,0 +1,11 @@
+grab
+https://www.splunk.com/en_us/download/universal-forwarder.html
+
+to install on the linux client
+https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/Installanixuniversalforwarder
+
+to send data to the search head
+https://docs.splunk.com/Documentation/Forwarder/9.2.2/Forwarder/Configuretheuniversalforwarder
+
+put inputs.conf in the "C:\Program Files\SplunkUniversalForwarder\etc\apps*\local\inputs.conf"
+restart splunk service

6 SIEMs/Splunk/Splunk_Notes.txt

@@ -0,0 +1,49 @@
+set up an indexer (reciever)
+
+log into enterprise
+settings > Data > Forwarding and Recieving
+Configure recieving > add new
+
+Listen on port: 1234
+
+###bash command
+./splunk enable listen
+
+download universal forwarder from the splunk webpage
+"Free splunk"
+Login to account
+
+from the download page, scroll down to the bottom and download Splunk Universal forwarder
+select OS and versions
+
+there's also a WGET line you can use on the server.
+
+
+### INSTALL IN ANY DIRECTORY ###
+#!/bin/bash
+
+#unzip the tarball
+sudo tar xvzf splunkforwarder-linux-x86_64.tgz -C /opt
+cd /opt/splunkforwarder/bin
+
+### start the forwarder and auto accept the license
+./splunk start --accept-license
+
+### here you're asksed to make an admin account
+user: admin
+pass: admin 
+confirm: admin
+
+### start when the server reboots
+./splunk enable boot-start -user "USER"
+
+### send data to listening indexer
+./splunk add forward-server INDEXER_IP:PORT
+username: admin
+password: admin
+
+### send the logs from the www1 folder to splunk for indexing
+./splunk add monitor -auth admin:goodPassword /opt/log/www1
+
+
+### RETURN TO THE INDEXER AND OBSERVE LOGS BEING COLLECTED.

6 SIEMs/Splunk/searchheadclusterSOG.md

@@ -0,0 +1,23 @@
+# searchhead 1
+./splunk init shcluster-config -auth spadmin:DM55Password!@ -mgmt_uri http://10.2.25.73:8089 -replication_port 9000 -replication_factor 3 -conf_deploy_fetch_url http://10.2.25.77:8089 -secret asdfqwer -shcluster_label searchheadcluster
+
+# searchhead 2
+./splunk init shcluster-config -auth spadmin:DM55Password!@ -mgmt_uri http://10.2.25.74:8089 -replication_port 9100 -replication_factor 3 -conf_deploy_fetch_url http://10.2.25.77:8089 -secret asdfqwer -shcluster_label searchheadcluster
+
+# searchhead 3
+./splunk init shcluster-config -auth spadmin:DM55Password!@ -mgmt_uri http://10.2.25.75:8089 -replication_port 9200 -replication_factor 3 -conf_deploy_fetch_url http://10.2.25.77:8089 -secret asdfqwer -shcluster_label searchheadcluster
+
+
+
+
+# searchhead cluster captain
+./splunk bootstrap shcluster-captain -servers_list "http://10.2.25.73:8089,http://10.2.25.74:8089,http://10.2.25.75:8089" -auth spadmin:DM55Password!@
+
+./splunk restart
+
+
+
+
+# checking
+./splunk show shcluster-status -auth spadmin:DM55Password!@
+./splunk list shcluster-config -auth spadmin:DM55Password!@