59 lines
2.2 KiB
Plaintext
59 lines
2.2 KiB
Plaintext
Teacher: joanna@splunk.com
|
|
|
|
My Intro:
|
|
I'm Orien (sounds like the constellation Orion), just started as a Splunk
|
|
Engineer at Defense Point Security. I've finished a couple Splunk classes
|
|
over the last month, nothing practical yet, Linux for 20+ years. Dogs.
|
|
|
|
Goals:
|
|
Manage and deploy forwarders with management (Module 4&5, critically important)
|
|
configure common splunk data inputs
|
|
customize input parsing process
|
|
- Not covering creating splunk indexes
|
|
|
|
Schedule 1-4 today, 4-7 tomorrow, 8-12 Friday
|
|
|
|
Module 1: Introduction
|
|
Input > Parsing > Indexing > Searching
|
|
Primary Components: Forwarder, Indexer, Search Head
|
|
Additional: Heavy Forwarder, Deployment Server
|
|
|
|
Splunk Data Administrator Role
|
|
data onboarding and management
|
|
work with users requesting new data, define events and fields for ingest
|
|
prioritize requests
|
|
document everything
|
|
design and manage inputs for UF/HF to capture data
|
|
manage parsing, line breaking, timestamp extraction
|
|
move from testing to production
|
|
Lab 1:
|
|
Path: /opt/splunk
|
|
|
|
Module 2: Getting Data in - Staging
|
|
Input phase - broad strokes only
|
|
most configuration in input.conf
|
|
some configuration occurs in props.conf
|
|
Parsing phase - fine tuned tweaks
|
|
most configuration in props.conf
|
|
also uses transforms.conf
|
|
_thefishbucket contains file monitoring audit information
|
|
custom indexes control access, improve performance and control retention time for each index individually.
|
|
Index-Time precedence, local/default file processing under apps occurs in ascii sort order
|
|
splunk btool <conf-name> list <options>
|
|
options: --debug --user=<user> --app=<app>
|
|
examples: splunk bool inputs list monitor:///var/log/secure.log --debug
|
|
--debug shows the config files that created the settings.
|
|
|
|
Module 3: getting Data in - Productin
|
|
Universal Forwarder bandwidth limited to 256KBps by default
|
|
UF only forward to splunk instances, and only 1 at a time
|
|
HF can forward to other products, and more than 1 at a time
|
|
HF can be used as a mid stage forwarder for multi-tier forwarding setups.
|
|
HF no longer best practice
|
|
|
|
Module 4: Deployment Server
|
|
Server classes have one or more apps
|
|
A server has one or more classes
|
|
so a server gets apps via the classes it belongs to
|
|
|