Upload files to "6 SIEMs/Splunk"
This commit is contained in:
128
6 SIEMs/Splunk/6.1SplunkDistributed.md
Normal file
128
6 SIEMs/Splunk/6.1SplunkDistributed.md
Normal file
@ -0,0 +1,128 @@
|
||||
## OVERVIEW
|
||||
- 3 search heads
|
||||
- 1 captain to manage the search heads and is one of them
|
||||
- 3 indexers
|
||||
- 1 main node # to connect the indexers is seperate
|
||||
- 1 deployer
|
||||
|
||||
- 8 Machines total
|
||||
|
||||
### ESXI CONFIG
|
||||
splunk_search_head_# or splunk_indexer_#
|
||||
8 cores
|
||||
16 gb ram
|
||||
3 TB thin provision
|
||||
Add iso 20 Ubuntu desktop to iso
|
||||
|
||||
|
||||
|
||||
### Initial Install ubuntu
|
||||
Continue
|
||||
Minimal
|
||||
Continue
|
||||
Erase
|
||||
Install now
|
||||
Continue
|
||||
Continue
|
||||
|
||||
```
|
||||
Spadmin
|
||||
searchhead# or indexer#
|
||||
STANDARD
|
||||
login auto
|
||||
```
|
||||
|
||||
Continue
|
||||
|
||||
Restart now
|
||||
Shutdown
|
||||
Remove iso
|
||||
|
||||
Quit live patch
|
||||
Set IP
|
||||
identity
|
||||
name: splunk
|
||||
Ipv4
|
||||
Ipv4 method: manual
|
||||
10.2.25.x 255.255.255.0 10.2.25.1
|
||||
Ipv6 - disable
|
||||
|
||||
Display - 1920x1080
|
||||
Add terminal to favorites
|
||||
|
||||
### BROWSER
|
||||
Login to ESXI
|
||||
Download splunk from data store
|
||||
|
||||
```
|
||||
sudo useradd splunk -s /bin/false -l
|
||||
sudo passwd splunk
|
||||
cd Downloads
|
||||
sudo mv splunk.tgz /opt
|
||||
cd /opt
|
||||
sudo tar -xvf splunk.tgz
|
||||
cd splunk/bin
|
||||
sudo -u splunk ./splunk --accept-license
|
||||
spadmin
|
||||
STANDARD
|
||||
STANDARD
|
||||
sudo ./splunk enable boot-start -user splunk
|
||||
```
|
||||
|
||||
### Create this on splunk
|
||||
```
|
||||
#!/bin/bash
|
||||
|
||||
#save to /opt/splunkmotd.sh
|
||||
|
||||
#start up file for splunk
|
||||
IP=$(ip a | grep "10.2." | awk '{print $2}' | cut -c -10)
|
||||
echo "Your IP is $IP"
|
||||
echo "run"
|
||||
echo "sudo /opt/splunk/bin/splunk status"
|
||||
|
||||
#ad full path to bottom of .bashrc to have these commands pop up every time a terminal is opened.
|
||||
```
|
||||
|
||||
### BROWSER
|
||||
login
|
||||
Settings
|
||||
server settings
|
||||
General settings
|
||||
Enable SSL: yes
|
||||
Web port: 8000 -> 443
|
||||
Save
|
||||
Global banner
|
||||
Got it
|
||||
searchhead# or indexer#
|
||||
Indexer - blue
|
||||
Search head - green
|
||||
Main node - orange
|
||||
save
|
||||
Server controls
|
||||
Restart splunk
|
||||
|
||||
|
||||
|
||||
enable to add all parts to cluster go to index clustering
|
||||
settings # in top right
|
||||
index clustering
|
||||
enable indexer clustering
|
||||
|
||||
## MAIN NODE
|
||||
- main node
|
||||
- set ip to 9000
|
||||
- replication factor: 1
|
||||
- serach factor: 1
|
||||
- pass: STANDARD
|
||||
- cluster label: dist_splunk
|
||||
## INDEXER
|
||||
- peer node
|
||||
- manager uri: main node https://IP:8089
|
||||
- pass: STANDARD
|
||||
|
||||
## SEARCH HEAD
|
||||
- search head node
|
||||
- manager uri: main node https://IP:8089
|
||||
- pass: STANDARD
|
||||
|
||||
Reference in New Issue
Block a user