Sie sind auf Seite 1von 3

Work Instructions

Part I

Ensure connectivity between your servers and the splunk servers below(ping)

IP Port
Splunk Role OS
Address s
999
172.29.21 7,
CentOS 7
3.80 808
9
999
172.29.21 7,
CentOS 7
3.81 808
9
999
172.29.21 7,
CentOS 7
3.82 808
9
999
172.29.21 7,
Indexers CentOS 7
3.83 808
9
999
172.29.21 7,
CentOS 7
3.84 808
9
999
172.29.21 7,
CentOS 7
3.85 808
9
999
172.29.21 7,
CentOS 7
3.86 808
9
800
172.29.21 0,
Seach Heads CentOS 7
3.88 808
9
800
172.28.20 0,
Cluster Master CentOS 7
0.84 808
9
800
172.28.20 0,
License Master CentOS 7
0.85 808
9
Additional
Server 172.29.21
[proposed 3.87
search head]
130
Forwarder
01
Download the forwarder(https://www.splunk.com/en_us/download/universal-forwarder.html)
Use attached if its linux box Check the version uname a to know whether x86 or not and
download the right splunk fowarder

splunkforwarder-6.4.1-debde650d26e-Linux-x86_64.tgz

#copy relevant splunk forwarder installer to the server that you intend to collect
logs from

#add group and user


groupadd splunk
useradd -g splunk splunk

chage -I -1 -m 0 -M 99999 -E -1 splunk

#to install forwarder in /opt


cd /opt
tar xvzf /<temp location>/splunkforwarder-<version>.tgz

#configure forwarder
chown -R splunk:splunk splunkforwarder

#set to start at server boot


/opt/splunkforwarder/bin/splunk enable boot-start -user splunk --accept-license --answer-yes
--auto-ports --no-prompt

#change default password


/opt/splunkforwarder/bin/splunk edit user admin -password M@hig@1 -auth
admin:changeme --accept-license --answer-yes --auto-ports --no-prompt

#change default management port


/opt/splunkforwarder/bin/splunk set splunkd-port 13100 --accept-license --answer-yes --auto-
ports --no-prompt

#if you are using a deployment server, set it here. Otherwise ignore this
configuration
/opt/splunkforwarder/bin/splunk set deploy-poll 172.28.200.84:8089 --accept-license
--answer yes

#configure log location access


#either add splunk user to the group that has read access to the log loaction
setfacl -R -m u:splunk:r-x /var/log

Save the attached file (deploymentclient.conf) under (if it does not exist)

/opt/splunkforwarder/etc/system/local/deploymentclient.conf
i.e

cp /home/cmwanzia/deploymentclient.conf /opt/splunkforwarder/etc/system/local/

#switch to splunk user and start splunk with that user


su - splunk
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt

#in case of any issues, you may restart with


/opt/splunkforwarder/bin/splunk restart