49 lines
1.2 KiB
Plaintext
49 lines
1.2 KiB
Plaintext
set up an indexer (reciever)
|
|
|
|
log into enterprise
|
|
settings > Data > Forwarding and Recieving
|
|
Configure recieving > add new
|
|
|
|
Listen on port: 1234
|
|
|
|
###bash command
|
|
./splunk enable listen
|
|
|
|
download universal forwarder from the splunk webpage
|
|
"Free splunk"
|
|
Login to account
|
|
|
|
from the download page, scroll down to the bottom and download Splunk Universal forwarder
|
|
select OS and versions
|
|
|
|
there's also a WGET line you can use on the server.
|
|
|
|
|
|
### INSTALL IN ANY DIRECTORY ###
|
|
#!/bin/bash
|
|
|
|
#unzip the tarball
|
|
sudo tar xvzf splunkforwarder-linux-x86_64.tgz -C /opt
|
|
cd /opt/splunkforwarder/bin
|
|
|
|
### start the forwarder and auto accept the license
|
|
./splunk start --accept-license
|
|
|
|
### here you're asksed to make an admin account
|
|
user: admin
|
|
pass: admin
|
|
confirm: admin
|
|
|
|
### start when the server reboots
|
|
./splunk enable boot-start -user "USER"
|
|
|
|
### send data to listening indexer
|
|
./splunk add forward-server INDEXER_IP:PORT
|
|
username: admin
|
|
password: admin
|
|
|
|
### send the logs from the www1 folder to splunk for indexing
|
|
./splunk add monitor -auth admin:goodPassword /opt/log/www1
|
|
|
|
|
|
### RETURN TO THE INDEXER AND OBSERVE LOGS BEING COLLECTED. |