Add data to Splunk

 

Add data to Splunk

A. Splunk server

1. Click “Add data
2. Click “A file or directory of files
3. “Consume any file on this Splunk server“, click “Next
4. Check “Skip preview” button and click “continue
5. From “Specify the source” option, check “Continuously index data from a file or directory this Splunk instance can access“, and type “/opt/log/” and click “save

 * Ubuntu log file location is “/var/log/

 

B. Using SplunkForwarder

1. Link to download SplunkForwarder
2. Logon Splunk server.
3. Click the ‘Manager’ link in the top right.
4. Clic ‘Forwarding and receiving‘ option
5. Click ‘Add new‘ in the Receive data section
6. Specify TCP port, default “9997“,  you want the receiver to listen from forwarder.
7. Click ‘Save’. You must restart Splunk to complete the process.

 

C. Windows

1. Easy way would be using SplunkForwarder. Actually, it won’t take a lot of resources.
2. Click here for reference site

 

D. Syslog over UDP/TCP

>  Error message : “splunk In handler ‘udp’: Parameter name: UDP port 514 is not available”, when you save with port 514 / source type:syslog.

It would be one of three reasons.

1. Splunk ran with low previlege(user level). try sudo ./splunk start.
2. Port 514 is already being used. Try netstat -nlup or -nltp
3. Firewall issue

E. VMWare

1. ESXi 4.x ;

– using vMA 5.0 (download from VMware.com[free] and install it.

vicfg-syslog --server esxhostsvr.mydomain.com -s splunksvr.mydomain.com -p 514

2. ESXi 5.x; vMA 5.x is ONLY supporting ESXi 4.x or vCenter4.x so… use vSphere console.

– Go to  Host > Configuration > Advanced setting > Syslog > Syslog.global.logHost, type udp://splunk_srv:514

– Change firewall/Security profile to allow UDP 514 traffic outgoing from option

 Host > Configuration > Security Profile, click Firewall/Properties and check box at Syslog

F. Cisco devices

 

G. SNMP Trap Message to Splunk

1. Configure Splunk IP to send trap message.
2. Chris@Ubuntu$ sudo snmptrapd -Lf /var/log/snmp-traps –disableAuthorization=yes
3. Configure Splunk to monitor the file, as described in “Monitor files and directories”.

To veriy;

1. Check a file named “snmp-traps” on /var/log/ directory
2. Execute a command; sudo snmptrap -v2c -c public localhost 1 1 (* you might need to install a snmp package. try “sudo apt-get install snmp“)
3. Verify content of the file, snmp-traps.

 

 H. SNMP MIBs to Splunk

1. Download *.mib file and copy to /usr/share/mibs/netsnmp/
2. Execute a command; sudo snmptrap -m +ALL 

 

 

 

 

 

 

 

 

Leave a Reply