Module 1 - Deploying Splunk

Question 1

Four stages of Splunk

Answer 1

• Input any text data
• Parse the data into events
• Index and store events
• Search and report

Question 2

Deployment types

Answer 2

1. Single server. Good for tests and development
2. Single server with inputs (forwarders). Forwarders installed at data source
3. Distributed non cluster. Collection tier: universal and heavy forwarders, other input. Indexing tier: multiple indexers. Search tier: search head
4. Distributed non cluster with central management. Same as 3 but also includes license manager, monitoring console and deployment manager as separate components
5. Clustered environment. Search head clustering: Replicates knowledge objects. Indexer clustering: Replicates data across indexers, Single-site or multi-site, Allows balance of growth, speed of recovery and disk usage

Question 3

Deployment server purpose

Answer 3

Manages forwarders

Question 4

Cluster environment licensing

Answer 4

Doesn’t require additional licenses

Question 5

Cluster environment components

Answer 5

Search head cluster
Indexer cluster
Forwarders
License manager
Monitoring console
Cluster manager
Shc deployer
Deployment server

Question 6

Splunk enterprise packages

Answer 6

Splunk enterprise package includes all components
Universal forwarder package includes forwarder client

Question 7

Server hw requirement for indexer

Answer 7

12-48 CPU cores or 24-96 vCPU
12-128GB RAM
Disk capable at least 800 IOPS
SSD for hot/warm buckets

Question 8

Server hw requirement for search head

Answer 8

16 CPU cores or 32 vCPU
12GB RAM
2 x 10K RPM 300GB SAS drives, or better

Question 9

Default network ports Splunk enterprise

Answer 9

Splunkd - 8089
Web server- 8000
Web app server Proxy - 8065
KV store - 8191
No default ports for S2S receiving ports, any network/http input, index replication ports, search replication ports

Question 10

Default network ports Universal forwarder

Answer 10

Splunkd - 8089
NO default for any network/https input

No other components present on UF

Question 11

How to view resource limits

Answer 11

ulimits -a

Question 12

Best practice parameters on search beds and Indexers

Answer 12

File descriptors (ulimit -n) >= 64k, based on buckets and searches
Max user processes (ulimit -u) >= 16k, based on forwarders / concurrent searches

Question 13

NTP on Splunk

Answer 13

Enable. Best practise

Question 14

Splunk users requirements

Answer 14

Avoid using root or administrator on windows

Read files and directories configured for monitoring by Splunk
*NIX: /var/log is not typically open to non-root accounts
# Write to the Splunk Enterprise directory (SPLUNK_HOME)
# Execute any scripts required (alerts or scripted input)
# Bind to the network ports Splunk is listening on
*NIX: non-root accounts cannot access reserved ports (< 1024

Question 15

Start Splunk automatically on Linux

Answer 15

Enable boot-start manually

Question 16

Start Splunk automatically on Windows

Answer 16

Started automatically by default

Question 17

Installing Splunk on Linux

Answer 17

tar zxvf splunk_package.tgz-C /opt

Question 18

Splunk directory structure

Answer 18

SPLUNK_HOME

Linux - /opt/splunk
Windows c:\Program files\Splunk

/opt/splunk/bin - contains executables
/opt/splunk/etc - configuration and licenses
/opt/splunk/car/lib/splunk - indexes

Question 19

What is SPLUNK_HOME

Answer 19

/opt/splunk

Question 20

What is SPLUNK_DB

Answer 20

/opt/splunk/var/lib/splunk

Question 21

Running Splunk at boot

Answer 21

Linux - run after installation
splunk enable boot-start -user username -systemd-managed 1

Windows - by default services set to auto start: splunkd and splunkweb

Question 22

splunkd

Answer 22

Runs on 8089 by default
Spawns and controls all splunk processes: splunk web proxy, KV store, introspection services, all searches, scripted input or scripted alert
Access, processing and indexing of incoming data
Handles all searches and displays results

Question 23

View splunkd status from CLI

Answer 23

splunk status

Question 24

Splunk web

Answer 24

Webui
Provides front end for splunkd

Http://x.x.x.:8000

Question 25

Default port for splunk web

Answer 25

8000

Question 26

Splunk web server setting

Answer 26

Access from Settings > Server settings > General settings
Configure host name, default port Default web server port, whether web server is active or not, if to use https or not

Question 27

Disable/enable web server

Answer 27

Can disable from webui
Cannot enable webui from GUI. Must do it from CLI

Question 28

Server restart

Answer 28

Any general settings modification trigger messages alert with link to restart server.

Another option to restart from GUI: settings > server controls > restart splunk

Restart from CLI: splunk restart

Question 29

CLI Start or stop splunk

Answer 29

splunk start
splunk stop
splunk restart

Question 30

Show the port that the splunkd listens on

Answer 30

splunk show splunkd-port

Question 31

Show the port that Splunk Web listens on

Answer 31

splunk show web-port

Question 32

Show the server name of the instance

Answer 32

splunk show servername

Question 33

Show the default host name used for all data inputs

Answer 33

splunk show default-hostname

Question 34

Universal Forwarders security best practice

Answer 34

Disable splunkd listener on port tcp/8089