You are here

Configure Airlock for Splunk for Airlock 6.0

Affects version(s): 
6.x

Splunk is a powerful solution which allows to generate graphs, reports, alerts, dashboards and visualizations. This article describes the necessary steps to install and configure the Splunk Universal Forwarder on Airlock. This allows a smooth integration into Splunk server.

Install Splunk Universal Forwarder

  • Download Splunk Universal Forwarder from Splunk website . Use the version "2.6+ kernel Linux distributions (64-bit)". To create this installation guide, version "splunkforwarder-6.0-182037-linux-2.6-x86_64.rpm" has been used.
  • Copy the Splunk Universal Forwarder to /var/airlock/repositories/airlock-custom/Packages/ using scp
  • Open a secure shell to Airlock, login as user root and perform the following steps (according to this article):# airlock-custom-repo --update
    # /usr/bin/yum -y install splunkforwarder

Create default configuration files

The steps below describe how to start Splunk daemon to create default configuration files and enable Splunk Universal Forwarder to start on system startup.

  • Execute the following commands as root in a shell # /opt/splunkforwarder/bin/splunk start --accept-license
    # /opt/splunkforwarder/bin/splunk stop
    # /opt/splunkforwarder/bin/splunk enable boot-start -user splunk

Verify Splunk configuration files

The following parameters should be detected and configured automatically after the first start of Splunk daemon. If they are not configured properly, change the parameter <airlock-fqdn> with Airlock's FQDN (e.g. airlock1.intra.net)

  • Open the file /opt/splunkforwarder/etc/system/local/inputs.conf in vi and search for section [default]
    # vi /opt/splunkforwarder/etc/system/local/inputs.conf
    [default]
    host = <airlock-fqdn>
  • Open the file /opt/splunkforwarder/etc/system/local/server.conf in vi and search for section [general]
    # vi /opt/splunkforwarder/etc/system/local/server.conf
    [general]
    serverName = <airlock-fqdn>

Configure Splunk Universal Forwarder

Configure the Splunk Universal Forwarder to send the correct data to the Splunk server.

  • Create the configuration file /opt/splunkforwarder/etc/system/local/outputs.conf with the content shown below. Change the parameter <splunk-server> with the appropriate value (e.g. splunk-server.intra.net)
    # vi /opt/splunkforwarder/etc/system/local/outputs.conf
    [tcpout]
    defaultGroup = splunkssl

    [tcpout:splunkssl]
    server = <splunk-server> :9997
    sslVerifyServerCert = false
    sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem
    sslCertPath = /opt/splunkforwarder/etc/auth/server.pem
    sslPassword = password
  • Open the file /opt/splunkforwarder/etc/system/local/inputs.conf and append the following monitoring points in the configuration file. Make sure that the index airlock already exists in your Splunk server configuration.
    # vi /opt/splunkforwarder/etc/system/local/inputs.conf
    [monitor:///data/log/airlock/Web-Requests/*.Access]
    index = airlock
    sourcetype = airlock:web:access

    [monitor:///data/log/airlock/Web-Requests/*.Authentication]
    index = airlock
    sourcetype = airlock:web:authentication

    [monitor:///data/log/airlock/Web-Requests/*.Security]
    index = airlock
    sourcetype = airlock:web:security

    [monitor:///data/log/airlock/Web-Requests/*.Usage]
    index = airlock
    sourcetype = airlock:web:usage

    [monitor:///data/log/airlock/System/*.Configuration]
    index = airlock
    sourcetype = airlock:sys:configuration

    [monitor:///data/log/airlock/System/*.default]
    index = airlock
    sourcetype = airlock:sys:default

    [monitor:///data/log/airlock/System/*.Health]
    index = airlock
    sourcetype = airlock:sys:health

    [monitor:///data/log/airlock/System/*.Network]
    index = airlock
    sourcetype = airlock:sys:network

    [monitor:///data/log/airlock/System/*.Security]
    index = airlock
    sourcetype = airlock:sys:security

Configure logging for Splunk universal forwarder

To make sure that root partition is not running out of space, the following settings are required

  • Create the configuration file /opt/splunkforwarder/etc/log-local.conf with the content shown below.
    # vi /opt/splunkforwarder/etc/log-local.conf appender.metrics.maxFileSize=5000000
    appender.metrics.maxBackupIndex=5

    appender.A1.maxFileSize=5000000
    appender.A1.maxBackupIndex=5

Set permissions to configuration files

Make sure that the permissions are set correctly on the configuration files.

  • Execute the following commands as root in a shell
    # chmod 644 /opt/splunkforwarder/etc/system/local/*.conf
    # chmod 444 /opt/splunkforwarder/etc/log-local.conf
    # chown -R splunk:splunk /opt/splunkforwarder
    # usermod -a -G log splunk

Start Splunk Universal Forwarder

Start the Splunk Universal Forwarder to finalize the installation

  • Execute the following commands as root in a shell
    # /etc/init.d/splunk start

 

Communication between Splunk Universal Forwarder and Splunk server must go over the Management Interface on Airlock. Make sure that routing configuration is correct and traffic is sent over the Management Interface.

Knowledge Base Categories: