Splunk deployment server

Table des matières
Préparation du “Splunk deployment server”
Dans notre scénario, nous allons déployer une configuration permettant de surveiller deux fichiers :
- /var/log/auth.log
- /var/log/messages
pour des raisons de sécurité le port de management de l’agent forwarder sera désactivé.
Afin d’avoir un découpage propre on définit un dossier par périmètre :

Déclinaison de la configuration :
inputs_linux_message/local/inputs.conf
[monitor:///var/log]
index = unix
whitelist=(messages)
disabled = 0
inputs_linux_auth/local/inputs.conf
[monitor:///var/log]
index = unix
whitelist=(auth.log)
disabled = 0
Le fichier app.conf est générique.
app.conf
[launcher]
author=redteams.fr
description=Just a test
version=0.1
[triggers]
########## Conf-level reload triggers ##########
# Do not force a restart of Splunk Enterprise for state changes of MyApp
# Do not run special code to tell MyApp to reload myconffile.conf
# Apps with custom config files usually pick this option:
reload.myconffile = simple
# Do not force a restart of Splunk Enterprise for state changes of MyApp.
# Splunk Enterprise calls the /admin/myendpoint/_reload method in my custom
# EAI handler.
# Use this advanced option only if MyApp requires custom code to reload
# its configuration when its state changes
reload.myotherconffile = access_endpoints /admin/myendpoint
########## Stanza-level reload triggers ##########
# For any changed inputs.conf stanzas in the newly pushed cluster
# bundle that start with the "monitor" stanza prefix, e.g.
# [monitor://*], invoke the corresponding monitor input reload handler
# as specified, i.e. /data/inputs/monitor/_reload
#
# NOTE: The scripted input reload handler and the http input reload
# will NOT be invoked if the only changed inputs stanzas in the
# newly pushed cluster bundle are monitor inputs.
reload.inputs.monitor = access_endpoints /data/inputs/monitor
reload.inputs.script = access_endpoints /data/inputs/script
reload.inputs.http = access_endpoints /data/inputs/http
disable_management_port/local/server.conf
[httpServer]
disableDefaultPort = true
outputs/local/outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.6.5:9997
[tcpout-server://192.168.6.5:9997]
La prise en compte est immédiate dans l’instance Splunk

Installation du forwarder sur le poste client
wget -O splunkforwarder-8.1.3-63079c59e632-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.3&product=universalforwarder&filename=splunkforwarder-8.1.3-63079c59e632-linux-2.6-amd64.deb&wget=true'
dpkg -i splunkforwarder-8.1.3-63079c59e632-linux-2.6-amd64.deb
Pour l’environnement Windows
wget -O splunkforwarder-8.1.3-63079c59e632-x64-release.msi 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=8.1.3&product=universalforwarder&filename=splunkforwarder-8.1.3-63079c59e632-x64-release.msi&wget=true'
Autorisation de l’agent à lire les journaux
apt-get install acl -y
setfacl -m g:splunk:r /var/log/messages
setfacl -m g:splunk:r /var/log/auth.log
Définition d’une configuration minimal pour que l’agent vienne chercher sa configuration sur le serveur de déploiement.
/opt/splunkforwarder/etc/system/local/deploymentclient.conf
[deployment-client]
[target-broker:deploymentServer]
targetUri=192.168.6.5:8089
Démarrer l’agent
/opt/splunkforwarder/bin/splunk start
Configuration de la classe de serveur et affectation du client
Le client remonte dans la console

Création d’une nouvelle classe de serveur

