Splunk is a powerful solution which allows to generate graphs, reports, alerts, dashboards and visualizations. This article describes the necessary steps to install and configure the Splunk Universal Forwarder on Airlock. This allows a smooth integration into Splunk server.
Install Splunk Universal Forwarder
- Download Splunk Universal Forwarder from Splunk website . Use the version "2.6+ kernel Linux distributions (64-bit)". To create this installation guide, version "splunkforwarder-6.0-182037-linux-2.6-x86_64.rpm" has been used.
- Copy the Splunk Universal Forwarder to /var/airlock/repositories/airlock-custom/Packages/ using scp
- Open a secure shell to Airlock, login as user root and perform the following steps (according to this article):# airlock-custom-repo --update
# /usr/bin/yum -y install splunkforwarder
Create default configuration files
The steps below describe how to start Splunk daemon to create default configuration files and enable Splunk Universal Forwarder to start on system startup.
- Execute the following commands as root in a shell # /opt/splunkforwarder/bin/splunk start --accept-license
# /opt/splunkforwarder/bin/splunk stop
# /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
Verify Splunk configuration files
The following parameters should be detected and configured automatically after the first start of Splunk daemon. If they are not configured properly, change the parameter <airlock-fqdn> with Airlock's FQDN (e.g. airlock1.intra.net)
- Open the file /opt/splunkforwarder/etc/system/local/inputs.conf in vi and search for section [default]
# vi /opt/splunkforwarder/etc/system/local/inputs.conf
[default]
host = <airlock-fqdn>
- Open the file /opt/splunkforwarder/etc/system/local/server.conf in vi and search for section [general]
# vi /opt/splunkforwarder/etc/system/local/server.conf
[general]
serverName = <airlock-fqdn>
Configure Splunk Universal Forwarder
Configure the Splunk Universal Forwarder to send the correct data to the Splunk server.
- Create the configuration file /opt/splunkforwarder/etc/system/local/outputs.conf with the content shown below. Change the parameter <splunk-server> with the appropriate value (e.g. splunk-server.intra.net)
# vi /opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = <splunk-server> :9997
sslVerifyServerCert = false
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem
sslCertPath = /opt/splunkforwarder/etc/auth/server.pem
sslPassword = password
- Open the file /opt/splunkforwarder/etc/system/local/inputs.conf and append the following monitoring points in the configuration file. Make sure that the index airlock already exists in your Splunk server configuration.
# vi /opt/splunkforwarder/etc/system/local/inputs.conf
[monitor:///data/log/airlock/Web-Requests/*.Access]
index = airlock
sourcetype = airlock:web:access
[monitor:///data/log/airlock/Web-Requests/*.Authentication]
index = airlock
sourcetype = airlock:web:authentication
[monitor:///data/log/airlock/Web-Requests/*.Security]
index = airlock
sourcetype = airlock:web:security
[monitor:///data/log/airlock/Web-Requests/*.Usage]
index = airlock
sourcetype = airlock:web:usage
[monitor:///data/log/airlock/System/*.Configuration]
index = airlock
sourcetype = airlock:sys:configuration
[monitor:///data/log/airlock/System/*.default]
index = airlock
sourcetype = airlock:sys:default
[monitor:///data/log/airlock/System/*.Health]
index = airlock
sourcetype = airlock:sys:health
[monitor:///data/log/airlock/System/*.Network]
index = airlock
sourcetype = airlock:sys:network
[monitor:///data/log/airlock/System/*.Security]
index = airlock
sourcetype = airlock:sys:security
Configure logging for Splunk universal forwarder
To make sure that root partition is not running out of space, the following settings are required
- Create the configuration file /opt/splunkforwarder/etc/log-local.conf with the content shown below.
# vi /opt/splunkforwarder/etc/log-local.conf appender.metrics.maxFileSize=5000000
appender.metrics.maxBackupIndex=5
appender.A1.maxFileSize=5000000
appender.A1.maxBackupIndex=5
Set permissions to configuration files
Make sure that the permissions are set correctly on the configuration files.
- Execute the following commands as root in a shell
# chmod 644 /opt/splunkforwarder/etc/system/local/*.conf
# chmod 444 /opt/splunkforwarder/etc/log-local.conf
# chown -R splunk:splunk /opt/splunkforwarder
# usermod -a -G log splunk
Start Splunk Universal Forwarder
Start the Splunk Universal Forwarder to finalize the installation
- Execute the following commands as root in a shell
# /etc/init.d/splunk start
Communication between Splunk Universal Forwarder and Splunk server must go over the Management Interface on Airlock. Make sure that routing configuration is correct and traffic is sent over the Management Interface.