$ cd splunk $ bin/splunk start ...用户条款此处省略... "Statement of Work" means the statements of work and/or any and all applicable Orders, that describe the specific services to be performed by Splunk, including any materials and deliverables to be delivered by Splunk. Do you agree with this license? [y/n]: y
This appears to be your first time running this version of Splunk.
Splunk software must create an administrator account during startup. Otherwise, you cannot log in. Create credentials for the administrator account. Characters do not appear on the screen when you type in credentials.
Please enter an administrator username: admin Password must contain at least: * 8 total printable ASCII character(s). Please enter a new password: Please confirm new password: Copying '/home/shuyi/apps/splunk/splunk/etc/openldap/ldap.conf.default' to '/home/shuyi/apps/splunk/splunk/etc/openldap/ldap.conf'. Generating RSA private key, 2048 bit long modulus ....................+++++ ..........+++++ e is 65537 (0x10001) writing RSA key
Generating RSA private key, 2048 bit long modulus .........................................+++++ ......................................................................................................+++++ e is 65537 (0x10001) writing RSA key
Moving '/home/shuyi/apps/splunk/splunk/share/splunk/search_mrsparkle/modules.new' to '/home/shuyi/apps/splunk/splunk/share/splunk/search_mrsparkle/modules'. Splunk> CSI: Logfiles.
Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Creating: /home/shuyi/apps/splunk/splunk/var/lib/splunk Creating: /home/shuyi/apps/splunk/splunk/var/run/splunk Creating: /home/shuyi/apps/splunk/splunk/var/run/splunk/appserver/i18n Creating: /home/shuyi/apps/splunk/splunk/var/run/splunk/appserver/modules/static/css Creating: /home/shuyi/apps/splunk/splunk/var/run/splunk/upload Creating: /home/shuyi/apps/splunk/splunk/var/run/splunk/search_telemetry Creating: /home/shuyi/apps/splunk/splunk/var/spool/splunk Creating: /home/shuyi/apps/splunk/splunk/var/spool/dirmoncache Creating: /home/shuyi/apps/splunk/splunk/var/lib/splunk/authDb Creating: /home/shuyi/apps/splunk/splunk/var/lib/splunk/hashDb New certs have been generated in '/home/shuyi/apps/splunk/splunk/etc/auth'. Checking critical directories... Done Checking indexes... Validated: _audit _configtracker _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary Done Checking filesystem compatibility... Done Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from '/home/shuyi/apps/splunk/splunk/splunk-9.0.1-82c987350fde-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed.
Starting splunk server daemon (splunkd)... Generating a RSA private key .............+++++ ..........................................+++++ writing new private key to 'privKeySecure.pem' ----- Signature ok subject=/CN=bogon/O=SplunkUser Getting CA Private Key writing RSA key PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security Done [ OK ]
Waiting for web server at http://127.0.0.1:8000 to be available........ Done
If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com
Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Checking critical directories... Done Checking indexes... Validated: _audit _configtracker _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary Done Checking filesystem compatibility... Done Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from '/home/shuyi/apps/splunk/splunk/splunk-9.0.1-82c987350fde-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed.
Starting splunk server daemon (splunkd)... PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security Done [ OK ]
Waiting for web server at http://127.0.0.1:8000 to be available...... Done
If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com
$ sudo $SPLUNK_HOME/bin/splunk start ...用户条款此处省略... "Statement of Work" means the statements of work and/or any and all applicable Orders, that describe the specific services to be performed by Splunk, including any materials and deliverables to be delivered by Splunk. Do you agree with this license? [y/n]: y
This appears to be your first time running this version of Splunk.
Splunk software must create an administrator account during startup. Otherwise, you cannot log in. Create credentials for the administrator account. Characters do not appear on the screen when you type in credentials.
Please enter an administrator username: admin Password must contain at least: * 8 total printable ASCII character(s). Please enter a new password: Please confirm new password: Creating unit file... Important: splunk will start under systemd as user: splunk The unit file has been created. Splunk> CSI: Logfiles.
Checking prerequisites... Checking mgmt port [8089]: open Creating: /opt/splunkforwarder/var/lib/splunk Creating: /opt/splunkforwarder/var/run/splunk Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css Creating: /opt/splunkforwarder/var/run/splunk/upload Creating: /opt/splunkforwarder/var/run/splunk/search_telemetry Creating: /opt/splunkforwarder/var/spool/splunk Creating: /opt/splunkforwarder/var/spool/dirmoncache Creating: /opt/splunkforwarder/var/lib/splunk/authDb Creating: /opt/splunkforwarder/var/lib/splunk/hashDb New certs have been generated in '/opt/splunkforwarder/etc/auth'. Checking conf files for problems... Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false). Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug' Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-9.0.5-e9494146ae5c-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed.
Starting splunk server daemon (splunkd)... Done [ OK ]
$ sudo $SPLUNK_HOME/bin/splunk stop Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. [ OK ] Stopping splunk helpers... [ OK ] Done.
$ sudo /opt/splunkforwarder/bin/splunk add forward-server 192.168.0.112:9997 Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Added forwarding to: 192.168.0.112:9997.
然后可以查看所有的forward server。
1 2 3 4 5 6 7 8
$ sudo /opt/splunkforwarder/bin/splunk list forward-server Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Active forwards: 192.168.0.112:9997 Configured but inactive forwards: None
然后让forwarder去监听nginx的日志文件。
1 2 3 4 5
$ sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/nginx/access.log Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Added monitor of '/var/log/nginx/access.log'.
$ sudo /opt/splunkforwarder/bin/splunk remove monitor /var/log/nginx/access.log Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Removed monitor of '/var/log/nginx/access.log'
然后添加配置文件。
1 2 3 4 5 6
$ sudo touch /opt/splunkforwarder/etc/system/local/inputs.conf $ sudo cat /opt/splunkforwarder/etc/system/local/inputs.conf [monitor:///var/log/nginx/access.log] disable = 0 index = main sourcetype = nginx:log
$ sudo /opt/splunkforwarder/bin/splunk restart Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder" Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. [ OK ] Stopping splunk helpers... [ OK ] Done. splunkd.pid doesn't exist... Splunk> CSI: Logfiles.
Checking prerequisites... Checking mgmt port [8089]: open Checking conf files for problems... Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false). Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug' Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-9.0.5-e9494146ae5c-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed.
Starting splunk server daemon (splunkd)... Done [ OK ]