Splunk deployment server

Table des matières

Préparation du “Splunk deployment server”

Dans notre scénario, nous allons déployer une configuration permettant de surveiller deux fichiers :

  • /var/log/auth.log
  • /var/log/messages

pour des raisons de sécurité le port de management de l’agent forwarder sera désactivé.

Afin d’avoir un découpage propre on définit un dossier par périmètre :

alt

Déclinaison de la configuration :

inputs_linux_message/local/inputs.conf

[monitor:///var/log]
index = unix
whitelist=(messages)
disabled = 0

inputs_linux_auth/local/inputs.conf

[monitor:///var/log]
index = unix
whitelist=(auth.log)
disabled = 0

Le fichier app.conf est générique.

app.conf

[launcher]
author=redteams.fr
description=Just a test
version=0.1

[triggers]
########## Conf-level reload triggers ##########
# Do not force a restart of Splunk Enterprise for state changes of MyApp
# Do not run special code to tell MyApp to reload myconffile.conf
# Apps with custom config files usually pick this option:
reload.myconffile = simple

# Do not force a restart of Splunk Enterprise for state changes of MyApp.
# Splunk Enterprise calls the /admin/myendpoint/_reload method in my custom
# EAI handler.
# Use this advanced option only if MyApp requires custom code to reload
# its configuration when its state changes
reload.myotherconffile = access_endpoints /admin/myendpoint

########## Stanza-level reload triggers ##########
# For any changed inputs.conf stanzas in the newly pushed cluster
# bundle that start with the "monitor" stanza prefix, e.g.
# [monitor://*], invoke the corresponding monitor input reload handler 
# as specified, i.e. /data/inputs/monitor/_reload
#
# NOTE: The scripted input reload handler and the http input reload
# will NOT be invoked if the only changed inputs stanzas in the
# newly pushed cluster bundle are monitor inputs.
reload.inputs.monitor = access_endpoints /data/inputs/monitor
reload.inputs.script  = access_endpoints /data/inputs/script
reload.inputs.http    = access_endpoints /data/inputs/http

disable_management_port/local/server.conf

[httpServer]
disableDefaultPort = true

outputs/local/outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.6.5:9997

[tcpout-server://192.168.6.5:9997]

La prise en compte est immédiate dans l’instance Splunk

alt

Installation du forwarder sur le poste client

wget -O splunkforwarder-8.1.3-63079c59e632-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.3&product=universalforwarder&filename=splunkforwarder-8.1.3-63079c59e632-linux-2.6-amd64.deb&wget=true'

dpkg -i splunkforwarder-8.1.3-63079c59e632-linux-2.6-amd64.deb

Pour l’environnement Windows

wget -O splunkforwarder-8.1.3-63079c59e632-x64-release.msi 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=8.1.3&product=universalforwarder&filename=splunkforwarder-8.1.3-63079c59e632-x64-release.msi&wget=true'

Autorisation de l’agent à lire les journaux

apt-get install acl -y
setfacl -m g:splunk:r /var/log/messages
setfacl -m g:splunk:r /var/log/auth.log

Définition d’une configuration minimal pour que l’agent vienne chercher sa configuration sur le serveur de déploiement.

/opt/splunkforwarder/etc/system/local/deploymentclient.conf

[deployment-client]

[target-broker:deploymentServer]
targetUri=192.168.6.5:8089

Démarrer l’agent

/opt/splunkforwarder/bin/splunk start

Configuration de la classe de serveur et affectation du client

Le client remonte dans la console

alt

Création d’une nouvelle classe de serveur

alt
alt

Affectation des apps

alt

alt

Affectation du client

alt

alt
alt

Related