Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
https://www.splunk.com/page/previous_releases#x86_64linux
Redhat 7.3 iso link :
https://drive.google.com/open?id=0B9ZGwX0D1ZA1UmJFWEYyamRMLTQ
Splunk package :
https://www.splunk.com/page/download_track?file=6.6.3/linux/splunk6.6.3e21ee54bc796linux
2.6x86_64.rpm&platform=Linux&architecture=x86_64&version=6.6.3&product=splunk&typed=r
elease&name=linux_installer
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 1/16
28/02/2019 Splunk Cisco Notes - Google Docs
# scp splunk.66…....rpm root@192.168.56.101:/root/Desktop
[root@localhost ~]# ls
[root@localhost ~]# cd Desktop/
[root@localhost Desktop]# ls
splunk6.6.3e21ee54bc796linux2.6x86_64.rpm
[root@localhost Desktop]# rpm ivh splunk6.6.3e21ee54bc796linux2.6x86_64.rpm
Splunk Home directory :
[root@localhost Desktop]# cd /opt/splunk/
[root@localhost splunk]# cd bin/
[root@localhost bin]# pwd
/opt/splunk/bin
[root@localhost bin]# ./splunk start
q
y
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 2/16
28/02/2019 Splunk Cisco Notes - Google Docs
Firewall flushing:
# iptables F
Windows browser :
Url : yourip:8000
Url: 192.168.56.101:8000
Configure yum (package manager ):
# mkdir /rhel
# mount /dev/cdrom /rhel
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# vi vimal.repo
I
[mysoftware]
baseurl=file:///rhel
gpgcheck=0
Esc
:wq
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 3/16
28/02/2019 Splunk Cisco Notes - Google Docs
Configure apache web server :
Step 1 : install web server
# yum install httpd
Step 2: host or copy web page into your server
# cd /var/www/html/
# vi index.html
Step 3: start web server :
# systemctl restart httpd
Log file :
# cd /var/log/httpd
# cat access_log
# while :
do
curl http://192.168.56.101/vimal.html
done
Data input : source type : “access_combined” for apache web server
SPL : index=web | stats sum(bytes) BY clientip
# netstat tnlp | grep 1111
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
Line 217:
CustomLog "| /usr/bin/logger p local6.info" combined
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 4/16
28/02/2019 Splunk Cisco Notes - Google Docs
Custom syslog :
[root@localhost ~]# vim /etc/rsyslog.conf
local6.info /var/log/mycustom
[root@localhost ~]# systemctl restart rsyslog
[root@localhost ~]# logger p local6.info "hiii hello"
[root@localhost ~]# cat /var/log/mycustom
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# systemctl restart rsyslog
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# vim /etc/rsyslog.conf
local6.info @@192.168.56.101:1111
[root@localhost ~]# systemctl restart rsyslog
# tcpdump i enp0s3 n X w mypass.txt
# tcpdump r mypass.txt n X > my.txt
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 5/16
28/02/2019 Splunk Cisco Notes - Google Docs
[root@localhost local]# pwd
/opt/splunk/etc/system/local
[root@localhost local]# cat web.conf
[settings]
enableSplunkWebSSL = 1
/opt/splunk/bin/splunk restart
=> index and data input :
# cd /opt/splunk/etc/apps/search/local
/opt/splunk/var/lib/splunk/vimal/db/hot_v1_0/rawdata
Index store : (splunk data home) :
/opt/splunk/var/lib/splunk
/opt/splunk/etc/apps/search/local
[root@localhost local]# cat indexes.conf
[myindex123]
coldPath = $SPLUNK_DB/myindex123/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/myindex123/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/myindex123/thaweddb
[root@localhost local]# cat inputs.conf
[monitor:///root/Desktop/my.txt]
disabled = false
index = myindex123
sourcetype = myst_123
[root@localhost local]# /opt/splunk/bin/splunk restart
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 6/16
28/02/2019 Splunk Cisco Notes - Google Docs
# /opt/splunk/bin/splunk enable bootstart
Field extraction:
(?P<xyz>(?i)virus|terror)
# nc splunk_ip port
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 7/16
28/02/2019 Splunk Cisco Notes - Google Docs
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 8/16
28/02/2019 Splunk Cisco Notes - Google Docs
# rpm q postfix
# systemctl restart postfix
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 9/16
28/02/2019 Splunk Cisco Notes - Google Docs
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 10/16
28/02/2019 Splunk Cisco Notes - Google Docs
index=web clientip="192.168.56.1" | stats count
index=web | table clientip | dedup clientip | stats count
index=web | table clientip status method bytes | eval remarks=if(status=="200","ok","not
ok") | fields status
index=web | fields clientip , bytes
index="_internal" source="/opt/splunk/var/log/splunk/license_usage.log"
index="_internal" | table status method bytes | fillnull value=NULL status | eval
remarks=if(status!="NULL","ok","not ok")
index=web | table clientip method bytes | replace GET WITH DOWNLOAD in method
index=web | table clientip method bytes | rename clientip AS src_ip |replace GET WITH
DOWNLOAD in method
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 11/16
28/02/2019 Splunk Cisco Notes - Google Docs
index=web | stats sum(bytes) AS SUM, max(bytes) AS MAX, min(bytes) AS MIN, avg(bytes)
AS AVG by clientip
index=web | chart sum(bytes) AS SUM, max(bytes) AS MAX, min(bytes) AS MIN, avg(bytes)
AS AVG by clientip
index=_internal | chart sum(bytes) by clientip,method
index=web | where bytes > 30
index=web | timechart count by client
index=_internal | timechart span=1s count by client
index=web | table _raw | rename _raw AS RAW | rex field=RAW "\[(?P<mydate>.*)]"
index=web | rex field=_raw mode=sed "s/GET/vimal/"
http://docs.splunk.com/Documentation/Splunk/6.6.3/SearchReference/Fields
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 12/16
28/02/2019 Splunk Cisco Notes - Google Docs
Sub search :
index=web [ search index=web | table clientip | dedup clientip | head 1 ] | stats sum(bytes)
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 13/16
28/02/2019 Splunk Cisco Notes - Google Docs
https://www.splunk.com/page/download_track?file=6.6.3/linux/splunkforwarder6.6.3e21ee54bc
796linux2.6x86_64.rpm&platform=Linux&architecture=x86_64&version=6.6.3&product=univer
salforwarder&typed=release&name=linux_installer
Splunk Universal Forwarders :
[root@master ~]# cd Downloads/
[root@master Downloads]# rpm ivh
splunkforwarder6.6.3e21ee54bc796linux2.6x86_64.rpm
Splunk agent home dir :
# Cd /opt/splunkforwarder
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 14/16
28/02/2019 Splunk Cisco Notes - Google Docs
[root@master splunkforwarder]# cd bin/
[root@master bin]# ./splunk start
q
y
[root@master bin]# netstat tnlp | grep splunk
[root@master bin]# ./splunk list forwardserver
[root@master bin]# ./splunk add forwardserver 192.168.56.101:9997
[root@master bin]# vim /etc/httpd/conf/httpd.conf
#CustomLog "| /usr/bin/logger p local6.info" combined
CustomLog "logs/access_log" common
[root@master bin]# setenforce 0
[root@master bin]# systemctl restart httpd
[root@master bin]# curl 127.0.0.1/pop.html
[root@master bin]# cat /var/log/httpd/access_log
[root@master bin]# ./splunk add monitor /var/log/httpd/access_log sourcetype
access_combined index rindex
http://dev.splunk.com/sdks
# curl k u admin:redhat https://192.168.56.101:8es/search/jobs d "search=search
index=net xyz=terror | stats count"
# curl k u admin:redhat
https://192.168.56.101:8089/services/search/jobs/1507960844.50/results
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 15/16
28/02/2019 Splunk Cisco Notes - Google Docs
# curl k u admin:redhat https://192.168.56.101:8089/services/search/jobs d
'search=search index=net'
# curl k u admin:redhat
https://192.168.56.101:8089/services/search/jobs/1507959622.23/results get
# curl k u admin:redhat
https://192.168.56.101:8089/services/search/jobs/1507959622.23/results get d
output_mode=csv
https://github.com/vimallinuxworld13/splunknodeproxydashboard
http://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing
https://docs.google.com/document/d/17rbd5OINM3Ca_S75joVXGGWtb9wMj5AUrE3yFTb7X1w/edit 16/16