matthew/DCO-SOGs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f1795bbf092f0cc44fb01acaab6a15d66614e12
DCO-SOGs/6 SIEMs/Splunk/6.1SplunkDistributed.md

129 lines
2.1 KiB
Markdown
Raw Blame History

## OVERVIEW
- 3 search heads
- 1 captain to manage the search heads and is one of them
- 3 indexers
- 1 main node # to connect the indexers is seperate
- 1 deployer
- 8 Machines total
### ESXI CONFIG
splunk_search_head_# or splunk_indexer_#
8 cores
16 gb ram
3 TB thin provision
Add iso 20 Ubuntu desktop to iso
### Initial Install ubuntu
Continue
Minimal
Continue
Erase
Install now
Continue
Continue
```
Spadmin
searchhead# or indexer#
STANDARD
login auto
```
Continue
Restart now
Shutdown
Remove iso
Quit live patch
Set IP
identity
name: splunk
Ipv4
Ipv4 method: manual
10.2.25.x 255.255.255.0 10.2.25.1
Ipv6 - disable
Display - 1920x1080
Add terminal to favorites
### BROWSER
Login to ESXI
Download splunk from data store
```
sudo useradd splunk -s /bin/false -l
sudo passwd splunk
cd Downloads
sudo mv splunk.tgz /opt
cd /opt
sudo tar -xvf splunk.tgz
cd splunk/bin
sudo -u splunk ./splunk --accept-license
spadmin
STANDARD
STANDARD
sudo ./splunk enable boot-start -user splunk
```
### Create this on splunk
```
#!/bin/bash
#save to /opt/splunkmotd.sh
#start up file for splunk
IP=$(ip a | grep "10.2." | awk '{print $2}' | cut -c -10)
echo "Your IP is $IP"
echo "run"
echo "sudo /opt/splunk/bin/splunk status"
#ad full path to bottom of .bashrc to have these commands pop up every time a terminal is opened.
```
### BROWSER
login
Settings
server settings
General settings
Enable SSL: yes
Web port: 8000 -> 443
Save
Global banner
Got it
searchhead# or indexer#
Indexer - blue
Search head - green
Main node - orange
save
Server controls
Restart splunk
enable to add all parts to cluster go to index clustering
settings # in top right
index clustering
enable indexer clustering
## MAIN NODE
- main node
- set ip to 9000
- replication factor: 1
- serach factor: 1
- pass: STANDARD
- cluster label: dist_splunk
## INDEXER
- peer node
- manager uri: main node https://IP:8089
- pass: STANDARD
## SEARCH HEAD
- search head node
- manager uri: main node https://IP:8089
- pass: STANDARD
Reference in New Issue View Git Blame Copy Permalink