Splunk安装:
在Google 云 视窗 2016 VM上
1.将Web管理端口从8000更改为80
Splunk企业默认的http / https端口为8000。您可以使用任一Splunk Web GUI将其更改为其他端口。
要从其安装设置更改端口:
- 以管理员用户身份登录Splunk Web。
- 点击界面右上角的设置。
- 单击屏幕“系统”部分中的“服务器设置”链接。
- 单击常规设置。
- 更改管理端口或Web端口的值,然后单击“保存”。
您可能需要根据新端口更新本地防火墙配置。这是更改Windows 2016服务器的防火墙配置以允许tcp端口80的示例。
2. Splunk的Fortinet 抵制 应用程序
YouTube视频:
2.1设备
类型=“流量”和索引=“堡垒” | stats dc(devid)
2.2虚拟域
类型=“流量”和索引=“堡垒” | eval dev-vd = devid。”-“。vd |统计数据dc(dev-vd)
2.3会议
原版的:
type =“流量” AND index =“ fortinet” | eval dev-sess = devid。”-“。session_id |统计数据dc(dev-sess)
改成 :
类型=“流量”和索引=“堡垒” | eval dev-sess = devid。”-“。sessionid |统计数据dc(dev-sess)
类型=“流量”和索引=“堡垒” |统计数据dc(sessionid)
2.4会话转移超时
index =“ fortigate” type =“ traffic” |时间表按开发者名称计数
2.5前20大应用
index =“ fortigate” type =“ traffic” | TOP限制= 20个应用
2.6威胁
type =“ UTM” AND index =“ fortinet” AND(风险=严重或风险=高或风险=中或风险=低)|时间表按风险计数
2.6目的地国家的申请
index =“ fortigate” type =“ traffic” | iplocation“ dstip” |地理统计仪按应用计数
3.定制仪表板
3.1按目标IP进行的流量会话
index =“ fortigate” srcip = * dstip = * 类型=“流量”操作= * NOT dstip =” 255.255.255.255” | dstip的时间表
3.2行动会话
index =“ fortigate” srcip = * dstip = *类型=“流量”操作= * | timechart count by action
3.3 UTM统计
index =“ fortigate”或index = main type = utm |统计信息按srcip,dstip,主机名,url,服务,方向,应用,风险统计|排序计数
4.新数据输入– Syslog的UDP 514
5.将Splunk重置为出厂默认设置
5.1清除所有事件数据(数据库/索引)
[email protected]:~$ sudo su [email protected]:/home/johnyan_ca# /opt/splunk/bin/splunk stop Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. .. Stopping splunk helpers... Done. [email protected]:/home/johnyan_ca# /opt/splunk/bin/splunk clean eventdata This action will permanently erase all events from ALL indexes; it cannot be undone. Are you sure you want to continue [y/n]? y Cleaning database _audit. Cleaning database _internal. Cleaning database _introspection. Cleaning database _telemetry. Cleaning database _thefishbucket. Cleaning database fortinet. Cleaning database history. Cleaning database main. Cleaning database summary. Cleaning database unix_summary. Cleaning database windows. Disabled database 'splunklogger': will not clean.
5.2删除所有已安装的应用
[email protected]:/home/johnyan_ca# cd /opt/splunk/etc/apps/ [email protected]:/opt/splunk/etc/apps# ls SplunkAppForFortinet alert_webhook learned splunk_gdi SplunkForwarder appsbrowser legacy splunk_httpinput SplunkLightForwarder eventid sample_app splunk_instrumentation Splunk_TA_fortinet_fortigate framework search splunk_monitoring_console Splunk_TA_linux gettingstarted sh_collectd user-prefs Splunk_TA_nix introspection_generator_addon splunk_app_for_nix alert_logevent launcher splunk_archiver [email protected]:/opt/splunk/etc/apps# rm -rf SplunkAppForFortinet/ [email protected]:/opt/splunk/etc/apps# rm -rf Splunk_TA_fortinet_fortigate/ [email protected]:/opt/splunk/etc/apps# rm -rf Splunk_TA_linux/ [email protected]:/opt/splunk/etc/apps# rm -rf Splunk_TA_nix/ [email protected]:/opt/splunk/etc/apps# rm -rf eventid/ [email protected]:/opt/splunk/etc/apps# rm -rf splunk_app_for_nix/
如果您只想重置应用的配置,则可以使用以下命令删除本地配置。
/ opt / splunk / etc / apps#rm -rf eventid / local / *
最后一步是启动splunk应用程序。
[email protected]:/opt/splunk/etc/apps# /opt/splunk/bin/splunk start Splunk> Winning the War 上 Error Checking prerequisites... Checking http port [80]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Checking critical directories... Done Checking indexes... Validated: _audit _internal _introspection _telemetry _thefishbucket fortinet history main summary Done Checking filesystem compatibility... Done Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunk/splunk-7.2.0-8c86330ac18-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Done Waiting for web server at http://127.0.0.1:80 to be available....... Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at http://ubuntu [email protected]:/opt/splunk/etc/apps#
6.删除索引数据
在GUI中,使用此命令
index =“ fortinet” |删除
要么
index =“ fortinet” AND sourcetype = 抵制 60D |删除
从命令行:
[email protected]:~$ sudo su [sudo] password for 约翰 : [email protected]:/home/john# cd /opt/splunk/bin [email protected]:/opt/splunk/bin# ./splunk stop Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. ........ Stopping splunk helpers... Done. [email protected]:/opt/splunk/bin# ./splunk clean eventdata -index fortinet -f Cleaning database fortinet. [email protected]:/opt/splunk/bin# ./splunk start Splunk> Be an IT superhero. Go home early. Checking prerequisites... Checking http port [80]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Checking critical directories... Done Checking indexes... Validated: _audit _internal _introspection _telemetry _thefishbucket fortinet history main summary Done Checking filesystem compatibility... Done Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunk/splunk-7.2.0-8c86330ac18-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Done Waiting for web server at http://127.0.0.1:80 to be available... Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at http://ubuntu18 [email protected]:/opt/splunk/bin#
不幸的是,这些命令无法回收空间。您将必须等到这些索引使用期限超时。
