Monday, May 07, 2018

Trying Splunk Cloud

I first used Splunk over ten years ago, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time I blogged about it was in 2008. I described how to install Splunk on Ubuntu 8.04. Today I decided to try cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud.

Splunk Cloud is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company's hosted Splunk offering, residing in Amazon Web Services (AWS). You can register for a 15 day free trial of Splunk Cloud that will index 5 GB per day.

If you would like to follow along, you will need a computer with a Web browser to interact with Splunk Cloud. (There may be ways to interact via API, but I do not cover that here.)

I will collect logs from a virtual machine running Debian 9, inside Oracle VirtualBox.

First I registered for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free Splunk Cloud trial online.

After I had a Splunk Cloud instance running, I consulted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documentation for Forward data to Splunk Cloud from Linux. I am running a "self-serviced" instance and not a "managed instance," i.e., I am cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administrator in this situation.

I learned that I needed to install a software package called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Universal Forwarder on my Linux VM.

I downloaded a 64 bit Linux 2.6+ kernel .deb file to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /home/Downloads directory on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Linux VM.

richard@debian:~$ cd Downloads/

richard@debian:~/Downloads$ ls

splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb

With elevation permissions I created a directory for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .deb, changed into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory, and installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .deb using dpkg.

richard@debian:~/Downloads$ sudo bash
[sudo] password for richard: 

root@debian:/home/richard/Downloads# mkdir /opt/splunkforwarder

root@debian:/home/richard/Downloads# mv splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb /opt/splunkforwarder/

root@debian:/home/richard/Downloads# cd /opt/splunkforwarder/

root@debian:/opt/splunkforwarder# ls

splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb

root@debian:/opt/splunkforwarder# dpkg -i splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb 

Selecting previously unselected package splunkforwarder.
(Reading database ... 141030 files and directories currently installed.)
Preparing to unpack splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb ...
Unpacking splunkforwarder (7.1.0) ...
Setting up splunkforwarder (7.1.0) ...
complete

root@debian:/opt/splunkforwarder# ls
bin        license-eula.txt
copyright.txt  openssl
etc        README-splunk.txt
ftr        share
include        splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb
lib        splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest

Next I changed into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bin directory, ran cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 splunk binary, and accepted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 EULA.

root@debian:/opt/splunkforwarder# cd bin/

root@debian:/opt/splunkforwarder/bin# ls

btool   copyright.txt   openssl slim   splunkmon
btprobe   genRootCA.sh   pid_check.sh splunk   srm
bzip2   genSignedServerCert.sh  scripts splunkd
classify  genWebCert.sh   setSplunkEnv splunkdj

root@debian:/opt/splunkforwarder/bin# ./splunk start

SPLUNK SOFTWARE LICENSE AGREEMENT

THIS SPLUNK SOFTWARE LICENSE AGREEMENT ("AGREEMENT") GOVERNS THE LICENSING,
INSTALLATION AND USE OF SPLUNK SOFTWARE. BY DOWNLOADING AND/OR INSTALLING SPLUNK
SOFTWARE: (A) YOU ARE INDICATING THAT YOU HAVE READ AND UNDERSTAND THIS

...

Splunk Software License Agreement 04.24.2018

Do you agree with this license? [y/n]: y

Now I had to set an administrator password for this Universal Forwarder instance. I will refer to it as "mypassword" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 examples that follow although Splunk does not echo it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screen below.

This appears to be your first time running this version of Splunk.

An Admin password must be set before installation proceeds.
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password: 
Please confirm new password: 

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

With that done, I had to return to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud Web site, and click cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link to "Download Universal Forwarder Credentials" to download a splunkclouduf.spl file. As noted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documentation, splunkclouduf.spl is a "credentials file, which contains a custom certificate for your Splunk Cloud deployment. The universal forwarder credentials are different from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 credentials that you use to log into Splunk Cloud."

After downloading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 splunkclouduf.spl file, I installed it. Note I pass "admin" as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user and "mypassword" as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 password here. After installing I restart cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 universal forwarder.

root@debian:/opt/splunkforwarder/bin# ./splunk install app /home/richard/Downloads/splunkclouduf.spl -auth admin:mypassword

App '/home/richard/Downloads/splunkclouduf.spl' installed 

root@debian:/opt/splunkforwarder/bin# ./splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.......
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

It's time to take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 final steps to get data into Splunk Cloud. I need to forwarder management in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud Web site. Observe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 input-prd-p-XXXX.cloud.splunk.com in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command. You obtain this (mine is masked with XXXX) from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 URL for your Splunk Cloud deployment, e.g., https://prd-p-XXXX.cloud.splunk.com. Note that you have to add "input-" before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fully qualified domain name used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud instance.

root@debian:/opt/splunkforwarder/bin# ./splunk set deploy-poll input-prd-p-XXXX.cloud.splunk.com:8089

Your session is invalid.  Please login.
Splunk username: admin
Password: 
Configuration updated.

Once again I restart cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 universal forwarder. I'm not sure if I could have done all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se restarts at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end.

root@debian:/opt/splunkforwarder/bin# ./splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.......
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

Finally I need to tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 universal forwarder to watch some logs on this Linux system. I tell it to monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /var/log directory and restart one more time.

root@debian:/opt/splunkforwarder/bin# ./splunk add monitor /var/log
Your session is invalid.  Please login.
Splunk username: admin
Password: 
Added monitor of '/var/log'.

root@debian:/opt/splunkforwarder/bin# ./splunk restart

Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
...............
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

At this point I return to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud Web interface and click cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "search" feature. I see Splunk is indexing some data.


I run a search for "host=debian" and find my logs.


Not too bad! Have you tried Splunk Cloud? What do you think? Leave me a comment below.

Update: I installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Universal Forwarder on FreeBSD 11.1 using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 method above (except with a FreeBSD .tgz) and everything seems to be working!

2 comments:

Jim C said...

I'd be interested to see your thoughts on Elastic, which is of course a direct competitor to Splunk, but using an open source technology stack. They also have a cloud service.

I believe that Splunk charge money per byte indexed to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir software, whereas Elastic charge per node in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cluster for optional support. This seems to be a significantly important difference for people who are not making a quantifiable return-on-investment with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir log analytics, i.e. most sysadmin/security use-cases.

Richard Bejtlich said...

I don't know enough to comment at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment Jim. However this Reddit thread is interesting:

https://www.reddit.com/r/sysadmin/comments/788uli/my_it_team_is_comparing_pros_and_cons_of_elk_as/#bottom-comments

In particular I liked this comment:

https://www.reddit.com/r/sysadmin/comments/788uli/my_it_team_is_comparing_pros_and_cons_of_elk_as/dosirhf/