What is Splunk?
Splunk is an application that is designed to search and analyze data gathered from the machine, devices, and well anything that sends data in your infrastructure.
Splunk Cloud vs Splunk Enterprise ?
The big difference here is that Splunk Enterprise is hosted on your company's infrastructure, or your personal machine if you are using it on your machine. Splunk Cloud is the same software however it is hosted in Splunk's Cloud and all this hardware is maintained by Splunk. Splunk Cloud reduces the time it takes to get to production as well as decreases the cost of your SIEM.
Universal Forwarder ?
Universal Forwarders allow your machine to stream data to the receiver which is an index in Splunk Cloud. These forwarders allow use to monitor traffic in real time.
Splunk Installation Lab
Create two instance on AWS ec2 as shown below
Install Splunk in both of them . In order to do that go to Splunk Enterprise website and download the splunk for linux.
Now install the splunk using command
sudo yum install ./splunk <Splunk file name>
Move to bin folder
cd /opt/splunk/bin
Create a license and start the splunk
./splunk start --accept-license --answer-yes
Add port 8000 in the security group
Now your splunk is read to run
Put publicip:8000 in browser and login
NOTE
Follow this above steps to install the splunk in both the server....
Now Clearly you can see there is no host present...
so inorder to connect host we need universal forwarder...
Universal Forwarder Installation
Go to splunk platform --> products --> Free trails and downloads
Download the universal forwarder
Install that forwarder using command :
sudo yum install ./<splunk forwarder name>
Now change path to bin folder and start the splunk
It will ask for a port number , put any port [ Here I put 9089 ]
Now add the forward server to the splunk, Here I have put the public ip of splunk server
./splunk add forward-server <publicip-splunk server>:9997
Restart the splunk
Now Put the log path :
./splunk add monitor /var/log
Restart the splunk again
Now go to bin path and enable 9997 port listen
Restart the Splunk and you can see that the client is added to the forwarder.
Inorder to add the another server client .. Follow the same process above
But in place of port input , Put a different port as shown below
9088
Add forward server ip as splunk server public ip
After that you can see two ip in the host ...
One host is splunk server and another was universal forwarder
Click on the host name and you can see the logs file here
Now create a test folder inside /opt/splunk/etc/deployment-apps ,
it will reflect in forwarder management apps
Now try to deploy a client using below commnads and restart the splunk
./splunk set deploy-poll <splunk server ip>:8089
You can see the client here
You can also create a server class and deploy that test app here
Add a client ip or hostname where you want to deploy
Top comments (0)