Difference between revisions of "Splunk"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
(i)
Line 3: Line 3:
 
== Splunk 4.3 ==  
 
== Splunk 4.3 ==  
  
We are currently in the process of reconfiguring our (now not completely working) Splunk setup with version 4.3. This configuration will utilize the new Universal Forwarders which are more lightweight and have a smaller overall footprint than the older light forwarder configuration. This space will contain my notes while migrating and eventually will replace the older Splunk configuration information once the new system is complete.
+
We are currently in the process of reconfiguring our (now not completely working) former Splunk setup with version 4.3. This configuration will utilize the new Universal Forwarders which are more lightweight and have a smaller overall footprint than the older light forwarder configuration.  
  
The following links are the Splunk documentation resources about configuring a main indexer and light forwarders. I will eventually summarize the steps here.  
+
Our Current setup involves one primary Receiver / Indexer running on Pumpkin with each system we wish to index running a universal forwarder. The forwarder has no web interface and simply forwards log data to be indexed to the main splunk indexer.
 +
 
 +
== Accessing Splunk ==
 +
 
 +
The splunk web interface is available via port 8000 on pumpkin. This port is not open on the firewall so an ssh port forward should be used to access it. To do so use the following command:
 +
 
 +
ssh -L 8000:localhost:8000 username@pumpkin
 +
 
 +
Then direct your browser to https://localhost:8000
 +
 
 +
 
 +
== Installing Splunk ==
 +
 
 +
Setting up splunk differs depending upon whether you're reinstalling the main indexer or setting up a forwarder on a new system. Here are some general install notes.
 +
 
 +
When installing splunk you will need to download the appropriate tarball from the Splunk website. This should be unpacked in a reasonably consistent place across systems. If the system has a /data volume, unpack it in /data/splunk and then create a symlink to that folder in /opt/splunk. If no /data volume exists, just install it into /opt/splunk.
 +
 
 +
The main indexer on Pumpkin is installed in /data1/splunk/splunk-4.3, and older versions of splunk still exist from previous installs. Those will stay there until I'm fairly certain they're not needed anymore, and then they will be cleaned up.
 +
 
 +
== Configuring Splunk ==
 +
 
 +
=== On Pumpkin ===
 +
 
 +
$SPLUNK_HOME refers to the location that the splunk tarball was unpacked to.
 +
 
 +
Setting up the main splunk indexer was completed as follows:
 +
# Download and unpack the tarball to $SPLUNK_HOME
 +
#Accept the license and set the init script to run at boot:
 +
$SPLUNK_HOME/bin/splunk enable boot-start --accept-license
 +
# Start Splunk
 +
$SPLUNK_HOME/bin/splunk start
 +
# Login to the web interface. You will be prompted to set the admin password. Set it to the typical admin password minus the host portion.
 +
# Navigate to Manager >> System Settings >> General Settings and make sure that HTTPS is enabled.
 +
# Navigate to Manager >> Licensing and make sure to change the license type from "Trial" to "Free".
 +
# Navigate to Manager >> Forwarding and Receiving and click "configure receiving".
 +
# Add a new receiver and set a port to listen on. Pumpkin is currently configured to listen on port 8099.
 +
# Add Manager >> Data Inputs add the folder /var/log/ so that pumpkin's logs are indexed.
 +
 
 +
This should get a simple main indexer with search functionality up and working. Forwarders can now start sending log data to the main index.
 +
 
 +
=== Adding Forwarders ===
 +
 
 +
The process for installing a universal forwarder is pretty simple. Forwarders don't have a web interface, so use the following commands:
 +
 
 +
# Download the tarball and unpack it in $SPLUNK_HOME
 +
#Accept the license and set the init script to run at boot:
 +
$SPLUNK_HOME/bin/splunk enable boot-start --accept-license
 +
# Start Splunk
 +
$SPLUNK_HOME/bin/splunk start
 +
# Set the admin password. You will be prompted for the default credentials these are are admin:changeme
 +
$SPLUNK_HOME/bin/splunk edit user admin -password <newpassword>
 +
# Add the server to forward to:
 +
$SPLUNK_HOME/bin/splunk add forward-server pumpkin.farm.physics.unh.edu:8099
 +
# Add log files to monitor:
 +
$SPLUNK_HOME/bin/splunk add monitor /var/log
 +
 
 +
 
 +
The new forwarder will immediately begin sending data from /var/log to the main indexer. If there is a lot of old log data in /var/log you need to watch to make sure that this initial sync will not push the daily indexing over the 500MB limit. You can see the current amount indexed on the Licensing page of the indexer's web interface.
 +
 
 +
If you find that importing a new system is pushing the daily index amount too close to the maximum just shut the forwarder off. You can start it up the next day and gradually pull in all of the log data until it catches up. At that point it should only send new log data, which isn't a very large amount under normal circumstances.
 +
 
 +
== Documentation ==
 +
 
 +
These links are useful references when setting up Splunk.  
  
 
[http://www.splunk.com/download/ Download Splunk]
 
[http://www.splunk.com/download/ Download Splunk]
Line 19: Line 82:
 
[http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI Add files to monitor from command line]
 
[http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI Add files to monitor from command line]
  
== Splunk at UNH ==
+
= Old (Pre-2012) Splunk Configuration =
 
We are now (December 2009) running the free 4.0.7 on our systems: [[Pumpkin]], [[Taro]], [[Gourd]], [[Endeavour]], [[Einstein]], [[Tomato]], [[Improv]]. If it is not running on one of these systems, it should be.  Splunk is no longer as resource hungry as before. On systems where the splunk system is starting to use too much resources we can reconfigure the splunk layer as a lightweight forwarder. Currently [[Pumpkin]] is set up as a receiver and [[Endeavour]] as a duplicate receiver.  
 
We are now (December 2009) running the free 4.0.7 on our systems: [[Pumpkin]], [[Taro]], [[Gourd]], [[Endeavour]], [[Einstein]], [[Tomato]], [[Improv]]. If it is not running on one of these systems, it should be.  Splunk is no longer as resource hungry as before. On systems where the splunk system is starting to use too much resources we can reconfigure the splunk layer as a lightweight forwarder. Currently [[Pumpkin]] is set up as a receiver and [[Endeavour]] as a duplicate receiver.  
  
Line 42: Line 105:
  
  
= OLD Config things from version 3 =
+
== OLD Config things from version 3 ==
  
 
These may or may not work anymore, but are saved here for documentation history.
 
These may or may not work anymore, but are saved here for documentation history.
Line 89: Line 152:
 
Wow, you're done!
 
Wow, you're done!
  
= LAYOUT =
+
== LAYOUT ==
  
 
Current setup:  
 
Current setup:  

Revision as of 20:31, 10 February 2012

Splunk is a flexible data aggregation system. In laymens' words, Splunk is a system that combs through log files (and anything else that contains structured information that you want to throw at it) and presents the results in a summarized format. It is really a pretty neat thing. See the splunk website.

Splunk 4.3

We are currently in the process of reconfiguring our (now not completely working) former Splunk setup with version 4.3. This configuration will utilize the new Universal Forwarders which are more lightweight and have a smaller overall footprint than the older light forwarder configuration.

Our Current setup involves one primary Receiver / Indexer running on Pumpkin with each system we wish to index running a universal forwarder. The forwarder has no web interface and simply forwards log data to be indexed to the main splunk indexer.

Accessing Splunk

The splunk web interface is available via port 8000 on pumpkin. This port is not open on the firewall so an ssh port forward should be used to access it. To do so use the following command:

ssh -L 8000:localhost:8000 username@pumpkin

Then direct your browser to https://localhost:8000


Installing Splunk

Setting up splunk differs depending upon whether you're reinstalling the main indexer or setting up a forwarder on a new system. Here are some general install notes.

When installing splunk you will need to download the appropriate tarball from the Splunk website. This should be unpacked in a reasonably consistent place across systems. If the system has a /data volume, unpack it in /data/splunk and then create a symlink to that folder in /opt/splunk. If no /data volume exists, just install it into /opt/splunk.

The main indexer on Pumpkin is installed in /data1/splunk/splunk-4.3, and older versions of splunk still exist from previous installs. Those will stay there until I'm fairly certain they're not needed anymore, and then they will be cleaned up.

Configuring Splunk

On Pumpkin

$SPLUNK_HOME refers to the location that the splunk tarball was unpacked to.

Setting up the main splunk indexer was completed as follows:

  1. Download and unpack the tarball to $SPLUNK_HOME
  2. Accept the license and set the init script to run at boot:
$SPLUNK_HOME/bin/splunk enable boot-start --accept-license
  1. Start Splunk
$SPLUNK_HOME/bin/splunk start
  1. Login to the web interface. You will be prompted to set the admin password. Set it to the typical admin password minus the host portion.
  2. Navigate to Manager >> System Settings >> General Settings and make sure that HTTPS is enabled.
  3. Navigate to Manager >> Licensing and make sure to change the license type from "Trial" to "Free".
  4. Navigate to Manager >> Forwarding and Receiving and click "configure receiving".
  5. Add a new receiver and set a port to listen on. Pumpkin is currently configured to listen on port 8099.
  6. Add Manager >> Data Inputs add the folder /var/log/ so that pumpkin's logs are indexed.

This should get a simple main indexer with search functionality up and working. Forwarders can now start sending log data to the main index.

Adding Forwarders

The process for installing a universal forwarder is pretty simple. Forwarders don't have a web interface, so use the following commands:

  1. Download the tarball and unpack it in $SPLUNK_HOME
  2. Accept the license and set the init script to run at boot:
$SPLUNK_HOME/bin/splunk enable boot-start --accept-license
  1. Start Splunk
$SPLUNK_HOME/bin/splunk start
  1. Set the admin password. You will be prompted for the default credentials these are are admin:changeme
$SPLUNK_HOME/bin/splunk edit user admin -password <newpassword> 
  1. Add the server to forward to:
$SPLUNK_HOME/bin/splunk add forward-server pumpkin.farm.physics.unh.edu:8099
  1. Add log files to monitor:
$SPLUNK_HOME/bin/splunk add monitor /var/log


The new forwarder will immediately begin sending data from /var/log to the main indexer. If there is a lot of old log data in /var/log you need to watch to make sure that this initial sync will not push the daily indexing over the 500MB limit. You can see the current amount indexed on the Licensing page of the indexer's web interface.

If you find that importing a new system is pushing the daily index amount too close to the maximum just shut the forwarder off. You can start it up the next day and gradually pull in all of the log data until it catches up. At that point it should only send new log data, which isn't a very large amount under normal circumstances.

Documentation

These links are useful references when setting up Splunk.

Download Splunk

Download Universal Forwarder

Install on Linux

Deploy *nix Universal Forwarder

Change Admin pw from command line

Add files to monitor from command line

Old (Pre-2012) Splunk Configuration

We are now (December 2009) running the free 4.0.7 on our systems: Pumpkin, Taro, Gourd, Endeavour, Einstein, Tomato, Improv. If it is not running on one of these systems, it should be. Splunk is no longer as resource hungry as before. On systems where the splunk system is starting to use too much resources we can reconfigure the splunk layer as a lightweight forwarder. Currently Pumpkin is set up as a receiver and Endeavour as a duplicate receiver.

Our setup:

  • Splunk runs on servers, with Pumpkin the master (receiver) node.
  • On Pumpkin, it is installed in /data1/splunk, with a link to /opt/splunk. This should be fairly consistent among systems.
  • Pumpkin mounts the /var/log directories from Roentgen so that it can be accessed by splunk for aggregation, without the need to run a splunk copy on roentgen (which is virtual).
  • Splunk runs on Endeavour as a full server, on Einstein,Taro,Pepper, Gourd, Tomato and Improv it depends, it may run as forwarding server.
  • The free version of splunk does not allow for login. We restrict access to the splunk console in iptables. Use an ssh tunnel to access the splunk web portal.
  • This can be extended to do many different tasks!
  • The new >4 versions of Splunk come with applications. We run the *Nix application, which does a nice job of giving a sense of what is happening on Unix like systems.

Connecting to Splunk

Pumpkin blocks all port 80 and port 8000 connections in the iptables, so it's not possible to access the interface to Splunk by simply opening a web browser and going to the appropriate port. This is a safety issue, so it is not going to change. There is a fairly simple workaround, you can open an ssh tunnel:

  1. ssh -L8001:localhost:8000 pumpkin. It doesn't necessarily have to be 8001, but some non-priviledged available port on your machine.
  2. Open a web browser with good Javascript support and Flash 10 or later, and go to localhost:8001 (or whatever port you chose). On Linux and OS X only Firefox is compatible. On Windows IE is compatible as well (but you won't care, right?)

Sophisticated stuff for Splunk

You can use the admin button on the splunk web interface to do administration, add a user account (licensed version only), add new input streams. This is pretty simple. More sophisticated use is documented here: Splunk.com then go to documentation and click on the version used.


OLD Config things from version 3

These may or may not work anymore, but are saved here for documentation history.

Filtering the input files

See Splunk File whitelist/blacklist.

We usually just let splunk loose on an entire directory (/var/log) of several machines (einstein, roentgen, pumpkin...). There are files splunk will skip automatically (mostly binaries). Others can be filtered out by editing /opt/splunk/etc/bundles/local/inputs.conf and adding a line like:

_blacklist = audit\.log|\.[12345]  # Ignore the audit files, which you should read with aureport anyhow.

You can see what the input files splunked will be with:

. /opt/splunk/bin/setSplunkEnv
/opt/splunk/bin/listtails

Splunk getting sysinfo from other nodes

This is discontinued. Too much ssh connections, causes lots of entries in log files, which is no good since it obfuscates what happens and ssh is important!

To get sysinfo (cpu load, users logged in, memory useage) from other nodes, without running splunk everywhere and without creating huge log files with this info everywhere, I made a "pipe" for splunk. This is a script that runs on splunk in $SPLUNKHOME/etc/bundles/sysinfo that will ssh over to each node monitorred and execute the command /root/splunk_ssh_info_pipe.

To make this whole thing secure, I did the following:

  • Modify the /root/.ssh/authorized_keys to have an entry that will only execute one command when jalapeno tries to connect to the node (pepper, taro,...) with a passwordless ssh connection. This command is our pipe script:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="jalapeno.farm.physics.unh.edu",command="/root/splunk_ssh_info_pipe" ssh-rsa verylongsshkeyishere root@jalapeno.unh.edu
  • This will only work is root is allowed to connect like this, so I modified /etc/security/access.conf to allow a root login from jalapeno.
  • The script when run on the node creates output that is then parsed by splunk.

This is fairly secure. I could have created a used "splunk" for all machines and set it up so that that user can only execute one command. Perhaps I'll switch to that at some point.

Getting Splunk to run on a new node

Install splunk by untarring the install tar file, currently located at /net/data/pumpkin1/splunk
Standard location is /opt, move the resulting /opt/splunk to /opt/splunk-<version> and make a soft link to splunk.
Now start up the system:

 /opt/splunk/bin/splunk start --accept-license

Next, startup "firefox localhost:8000" or tunnel to the splunk web server.
Next go to admin tab:

  1. (Optional) Turn on the SSL
  2. Setup the logs to watch: data input -> files & directories -> New Input. Then add /var/log.
  3. Setup forwading to pumpkin.farm.physics.unh.edu port 8089. Do not store local data (usually).
  4. Run bin/splunk disable webserver (or the splunk/etc/system/local/web.conf set "startwebserver=0" to turn off the local web server.)
  5. Restart server: bin/splunk restart
  6. Make splunk start automaticalle: bin/splunk enable boot-start

Wow, you're done!

LAYOUT

Current setup:

  • Pumpkin is the master collector.
  • Endeavour stores local and sends to Pumpkin.
  • Einstein sends to Pumpkin AND Endeavour, no local store.
  • Taro sends to Pumpkin, no local store.
  • Improv sends to Pumpkin, no local store.
  • Pepper sends to Pumpkin, no local store.
  • Roentgen is sucked directly out of /var/log through a mount on Pumpkin.