Splunk Architecture 101 Flashcards
What are some Splunk basic ports?
8000 - Splunk Web Port 9997 - Splunk Indexing Port 8191 - Splunk KV Store Port 8080 - Splunk Replication Port 8089 - Splunk Management Port 8088 - Splunk HEC 5514 - Syslog
What for is the 8000 port used in Splunk?
Used to access Splunk through web (Splunk Web Port)
What for is the 9997 port used in Splunk?
Used for Indexers to recieve data from forwarders (Splunk Recieving Port)
What for is the 8191 port used in Splunk?
Splunk KV Store Port
What for is the 8080 port used in Splunk?
Used for indexers to replicate data. Splunk Replication Port
What for is the 8089 port used in Splunk?
Management Port. E.g used to making components clients of a deployment server.
What for is the 8088 port used in Splunk?
Splunk HEC
What for is the 5514 port used in Splunk?
Syslog
What ports would you add to security group when setting up basic splunk environment?
8000 - Splunk Web Port 9997 - Splunk Indexing Port 8191 - Splunk KV Store Port 8080 - Splunk Replication Port 8089 - Splunk Management Port 8088 - Splunk HEC 5514 - Syslog
How would you install splunk enterprise/splunk UF on a completely new instance?
- Prep system with group/user permissions
- Download WGET/Install splunk with RPM.
- Enable boot-start etc, turn off systemd, accept license, specify auto-ports ( ./splunk enable boot-start -systemd-managed 0 -user splunk –accept-license –auto-ports )
- Change ownership of $SPLUNK_HOME
- Create admin credenstials
Either:
- Turn on Splunk (it will prompt you for new admin credenstials)
-or $SPLUNK_HOME/etc/system/local/user-seed.conf:
[user_info]
USERNAME = admin
PASSWORD = password - Change the host name of server, and minimum amount of space before splunkd is halted:
$SPLUNK_HOME/etc/system/local/server.conf
[general]
serverName = xyz
[diskUsage]
minFreeSpace = 500 (or other value)
- Change how host names are reflected in the logs:
$SPLUNK_HOME/etc/system/local/inputs.conf:
[default]
host = xyz - Enable HTTPS:
$SPLUNK_HOME/etc/system/local/web.conf
[settings]
enableSplunkWebSSL - Start Splunk, confirm that it is indeed working
- Configure license master and license slaves:
- Add license through GUI
- ./splunk edit licenser-localslave -master_uri https://(IP):managementport
Dissect the “bootstart” command
./splunk enable boot-start -systemd-managed 0 -user splunk –accept-license –auto-ports
enable boot-start: enable automatic boot of splunk whenever server is running
- systemd-managed 0: turn off system d to manage this application
- user splunk: specifies, that the user splunk will run the program whenever this automatic boot procedure is happening
–accept-license - Accept the Splunk license automatically when starting for the first time
–auto-ports use default ports specified by Splunk
What is systemd?
First, anything that ends in a “d” is a daemon. That means is a process that works in the background.
Systemd it’s the daddy of processes. Process ID number 1. It starts all other processes/daemons at boot. It has integrated tools that manage, for example, wifi, bluetooth, suspend/shutdown, etc.
Some time ago the norm was to use a simpler process called init to start any other process. It did not include the managing of those system parts I just mentioned, so you needed a separate program for each one of those. Systemd kind of standardized these shits, like a central process. Some people don’t like it because it may have a lot of bugs (I don’t know), others just don’t like the idea of centralizing processes too much, it has gotten very big and monstrous apparently.
How to get server’s public ip using a command?
curl https://ipinfo.io/ip
What for is the app.conf file in splunk? And what are some of it’s attributes?
# This file maintains the state of a given app in the Splunk platform. It can # also be used to customize certain aspects of an app. # # An app.conf file can exist within each app on the Splunk platform. # # You must restart the Splunk platform to reload manual changes to app.conf.
[install]
state = disabled | enabled
- Determines whether an app is disabled or enabled on the Splunk platform.
- If an app is disabled, its configurations are ignored.
- Default: enabled
is_configured =
* Stores an indication of whether the application’s custom setup has been
performed.
* Default: false
[launcher]
Settings in this stanza determine how an app appears in the Launcher in the Splunk
platform and online on Splunkbase.
author=
description=
version=
[package]
* This stanza defines upgrade-related metadata that streamlines app upgrade
to future versions of Splunk Enterprise.
id =
* Omit this setting for apps that are for internal use only and not intended
for upload to Splunkbase.
* id is required for all new apps that you upload to Splunkbase. Future versions of
Splunk Enterprise will use appid to correlate locally-installed apps and the
same app on Splunkbase (e.g. to notify users about app updates).
* id must be the same as the folder name in which your app lives in
$SPLUNK_HOME/etc/apps.
* id must adhere to these cross-platform folder name restrictions:
* must contain only letters, numbers, “.” (dot), and “_” (underscore)
characters.
* must not end with a dot character.
[ui]
* This stanza defines UI-specific settings for this app.
is_visible =
- Indicates if this app is visible/navigable as an app in Splunk Web.
- Apps require at least one view to be available in Splunk Web.
label = * Defines the name of the app shown in Splunk Web and Launcher. * Recommended length between 5 and 80 characters. * Must not include "Splunk For" prefix. * Label is required. * Examples of good labels: IMAP Monitor SQL Server Integration Services FISMA Compliance
What for is $SPLUNK_HOME/etc/system/default directory?
The default directory contains preconfigured versions of the configuration files with default settings. The location of the default directory in a Splunk Enterprise installation is $SPLUNK_HOME/etc/system/default.
“all these worlds are yours, except /default - attempt no editing there” – duckfez, 2010
You should never change a configuration file that’s located in the $SPLUNK_HOME/etc/system/default directory. The Splunk Enterprise upgrade process overwrites the contents in that folder automatically, which will remove any changes. If you want to retain a setting you’ve changed through an upgrade, place your configuration file into a local folder path such as $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/apps/$app_name/local as described below.