Splunk安装:
在Google 云 视窗 2016 VM上

1.将Web管理端口从8000更改为80
Splunk企业默认的http / https端口为8000。您可以使用任一Splunk Web GUI将其更改为其他端口。

要从其安装设置更改端口:

  • 以管理员用户身份登录Splunk Web。
  • 点击界面右上角的设置。
  • 单击屏幕“系统”部分中的“服务器设置”链接。
  • 单击常规设置。
  • 更改管理端口或Web端口的值,然后单击“保存”。

您可能需要根据新端口更新本地防火墙配置。这是更改Windows 2016服务器的防火墙配置以允许tcp端口80的示例。

2. Splunk的Fortinet 抵制 应用程序

YouTube视频:

2.1设备
类型=“流量”和索引=“堡垒”  | stats dc(devid)

2.2虚拟域
类型=“流量”和索引=“堡垒” | eval dev-vd = devid。”-“。vd |统计数据dc(dev-vd)

2.3会议
原版的:
type =“流量” AND index =“ fortinet” | eval dev-sess = devid。”-“。session_id |统计数据dc(dev-sess)
改成 :
类型=“流量”和索引=“堡垒” | eval dev-sess = devid。”-“。sessionid |统计数据dc(dev-sess)
类型=“流量”和索引=“堡垒”   |统计数据dc(sessionid)

2.4会话转移超时
index =“ fortigate” type =“ traffic” |时间表按开发者名称计数

2.5前20大应用
index =“ fortigate” type =“ traffic” | TOP限制= 20个应用

2.6威胁
type =“ UTM” AND index =“ fortinet” AND(风险=严重或风险=高或风险=中或风险=低)|时间表按风险计数

2.6目的地国家的申请
index =“ fortigate” type =“ traffic” | iplocation“ dstip” |地理统计仪按应用计数

3.定制仪表板

3.1按目标IP进行的流量会话
index =“ fortigate” srcip = * dstip = * 类型=“流量”操作= * NOT dstip =” 255.255.255.255” | dstip的时间表

3.2行动会话
index =“ fortigate” srcip = * dstip = *类型=“流量”操作= * | timechart count by action

3.3 UTM统计
index =“ fortigate”或index = main type = utm |统计信息按srcip,dstip,主机名,url,服务,方向,应用,风险统计|排序计数

4.新数据输入– Syslog的UDP 514

5.将Splunk重置为出厂默认设置
5.1清除所有事件数据(数据库/索引)

[email protected]:~$ sudo su
[email protected]:/home/johnyan_ca# /opt/splunk/bin/splunk stop
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
..
Stopping splunk helpers...

Done.
[email protected]:/home/johnyan_ca# /opt/splunk/bin/splunk clean eventdata
This action will permanently erase all events from ALL indexes; it cannot be undone.
Are you sure you want to continue [y/n]? y
Cleaning database _audit.
Cleaning database _internal.
Cleaning database _introspection.
Cleaning database _telemetry.
Cleaning database _thefishbucket.
Cleaning database fortinet.
Cleaning database history.
Cleaning database main.
Cleaning database summary.
Cleaning database unix_summary.
Cleaning database windows.
Disabled database 'splunklogger': will not clean.

5.2删除所有已安装的应用

[email protected]:/home/johnyan_ca# cd /opt/splunk/etc/apps/
[email protected]:/opt/splunk/etc/apps# ls
SplunkAppForFortinet          alert_webhook                  learned             splunk_gdi
SplunkForwarder               appsbrowser                    legacy              splunk_httpinput
SplunkLightForwarder          eventid                        sample_app          splunk_instrumentation
Splunk_TA_fortinet_fortigate  framework                      search              splunk_monitoring_console
Splunk_TA_linux               gettingstarted                 sh_collectd         user-prefs
Splunk_TA_nix                 introspection_generator_addon  splunk_app_for_nix
alert_logevent                launcher                       splunk_archiver
[email protected]:/opt/splunk/etc/apps# rm -rf SplunkAppForFortinet/
[email protected]:/opt/splunk/etc/apps# rm -rf Splunk_TA_fortinet_fortigate/
[email protected]:/opt/splunk/etc/apps# rm -rf Splunk_TA_linux/
[email protected]:/opt/splunk/etc/apps# rm -rf Splunk_TA_nix/
[email protected]:/opt/splunk/etc/apps# rm -rf eventid/
[email protected]:/opt/splunk/etc/apps# rm -rf splunk_app_for_nix/

如果您只想重置应用的配置,则可以使用以下命令删除本地配置。

/ opt / splunk / etc / apps#rm -rf eventid / local / *

最后一步是启动splunk应用程序。

[email protected]:/opt/splunk/etc/apps# /opt/splunk/bin/splunk start

Splunk> Winning the War  上  Error

Checking prerequisites...
        Checking http port [80]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration...  Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _internal _introspection _telemetry _thefishbucket fortinet history main summary
        Done
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunk/splunk-7.2.0-8c86330ac18-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done


Waiting for web server at http://127.0.0.1:80 to be available....... Done


If you get stuck, we're here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://ubuntu

[email protected]:/opt/splunk/etc/apps# 

6.删除索引数据

在GUI中,使用此命令

index =“ fortinet” |删除

要么

index =“ fortinet” AND sourcetype = 抵制 60D |删除

从命令行:

[email protected]:~$ sudo su
[sudo] password for  约翰 : 
[email protected]:/home/john# cd /opt/splunk/bin
[email protected]:/opt/splunk/bin# ./splunk stop
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
........
Stopping splunk helpers...

Done.
[email protected]:/opt/splunk/bin# ./splunk clean eventdata -index fortinet -f
Cleaning database fortinet.
[email protected]:/opt/splunk/bin# ./splunk start

Splunk> Be an IT superhero. Go home early.

Checking prerequisites...
        Checking http port [80]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration...  Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _internal _introspection _telemetry _thefishbucket fortinet history main summary
        Done
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunk/splunk-7.2.0-8c86330ac18-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done


Waiting for web server at http://127.0.0.1:80 to be available... Done


If you get stuck, we're here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://ubuntu18

[email protected]:/opt/splunk/bin# 

不幸的是,这些命令无法回收空间。您将必须等到这些索引使用期限超时。

发表评论