Splunk安装:
在Google Cloud Windows 2016 VM上

1.将Web管理端口从8000更改为80
Splunk Enterprise默认HTTP / HTTPS端口为8000.您可以使用Splunk Web GUI将其更改为其他端口。

要从安装设置更改端口:

  • 以管理员用户登录Splunk Web。
  • 单击界面右上角的设置。
  • 单击屏幕系统部分中的服务器设置链接。
  • 单击“常规设置”。
  • 更改管理端口或Web端口的值,然后单击“保存”。

您可能需要根据新端口更新本地防火墙配置。以下是更改Windows 2016 Server的防火墙配置以允许TCP端口80的示例。

2. Fortinet FortiGate App for Splunk

YouTube视频:

2.1设备
type =“流量”和index =“fortinet”|统计DC(Devid)

2.2虚拟域名
type =“流量”和index =“fortinet”| eval dev-vd = devid。“ - ”。VD |统计DC(DEV-VD)

2.3课程
原来的:
type =“流量”和index =“fortinet”| eval dev-sess = devid。“ - ”。session_id |统计DC(DEV-SESS)
改成 :
type =“流量”和index =“fortinet”| eval dev-sess = devid。“ - ”。sessionid |统计DC(DEV-SESS)
type =“流量”和index =“fortinet”|统计DC(SessionID)

2.4会议转移加班
index =“fortigate”type =“流量”| devName的TimeChart计数

2.5前20名申请
index =“fortigate”type =“流量”|顶部限制= 20应用程序

2.6威胁
type =“utm”和index =“fortinet”和(appisk = critical或appisk = high或appisk = medium或apprisk = low)| TimeChart Count按熟食

2.6目的地国家的申请
index =“fortigate”type =“流量”| iplocation“dstip”|通过应用程序的地螺母数计数

3.定制仪表板

3.1目的IP的流量会话
index =“fortigate”srcip = * dstip = * type =“流量”action = * not dstip =“255.255.255.255”| TimeChart Count by DSTIP

3.2按照行动的交通课程
index =“fortigate”srcip = * dstip = * type =“流量”action = * | TimeChart按照行动计数

3.3 UTM统计
index =“fortigate”或index = main type = UTM | STCIP,DSTIP,Hostname,URL,服务,方向,应用,习价的统计数据计算排序 -

4.新数据输入 - Syslog的UDP 514

5.将Splunk重置为出厂默认值
5.1清洁所有EventData(数据库/索引)

[email protected]:~$ sudo su
[email protected]:/home/johnyan_ca# /opt/splunk/bin/splunk stop
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
..
Stopping splunk helpers...

Done.
[email protected]:/home/johnyan_ca# /opt/splunk/bin/splunk clean eventdata
This action will permanently erase all events from ALL indexes; it cannot be undone.
Are you sure you want to continue [y/n]? y
Cleaning database _audit.
Cleaning database _internal.
Cleaning database _introspection.
Cleaning database _telemetry.
Cleaning database _thefishbucket.
Cleaning database fortinet.
Cleaning database history.
Cleaning database main.
Cleaning database summary.
Cleaning database unix_summary.
Cleaning database windows.
Disabled database 'splunklogger': will not clean.

5.2删除安装的所有应用程序

[email protected]:/home/johnyan_ca# cd /opt/splunk/etc/apps/
[email protected]:/opt/splunk/etc/apps# ls
SplunkAppForFortinet          alert_webhook                  learned             splunk_gdi
SplunkForwarder               appsbrowser                    legacy              splunk_httpinput
SplunkLightForwarder          eventid                        sample_app          splunk_instrumentation
Splunk_TA_fortinet_fortigate  framework                      search              splunk_monitoring_console
Splunk_TA_linux               gettingstarted                 sh_collectd         user-prefs
Splunk_TA_nix                 introspection_generator_addon  splunk_app_for_nix
alert_logevent                launcher                       splunk_archiver
[email protected]:/opt/splunk/etc/apps# rm -rf SplunkAppForFortinet/
[email protected]:/opt/splunk/etc/apps# rm -rf Splunk_TA_fortinet_fortigate/
[email protected]:/opt/splunk/etc/apps# rm -rf Splunk_TA_linux/
[email protected]:/opt/splunk/etc/apps# rm -rf Splunk_TA_nix/
[email protected]:/opt/splunk/etc/apps# rm -rf eventid/
[email protected]:/opt/splunk/etc/apps# rm -rf splunk_app_for_nix/

如果您只想重置应用程序的配置,可以使用以下命令删除本地配置。

/ opt / splunk / etc / apps#rm -rf eventid / local / *

最后一步是启动Splunk应用程序。

[email protected]:/opt/splunk/etc/apps# /opt/splunk/bin/splunk start

Splunk> Winning the War on Error

Checking prerequisites...
        Checking http port [80]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration...  Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _internal _introspection _telemetry _thefishbucket fortinet history main summary
        Done
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunk/splunk-7.2.0-8c86330ac18-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done


Waiting for web server at http://127.0.0.1:80 to be available....... Done


If you get stuck, we're here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://ubuntu

[email protected]:/opt/splunk/etc/apps# 

6.删除索引数据

来自GUI,使用此命令

索引=“fortinet”|删除

或者

index =“fortinet”和sourcetype = fortige60d |删除

来自命令行:

[email protected]:~$ sudo su
[sudo] password for john: 
[email protected]:/home/john# cd /opt/splunk/bin
[email protected]:/opt/splunk/bin# ./splunk stop
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
........
Stopping splunk helpers...

Done.
[email protected]:/opt/splunk/bin# ./splunk clean eventdata -index fortinet -f
Cleaning database fortinet.
[email protected]:/opt/splunk/bin# ./splunk start

Splunk> Be an IT superhero. Go home early.

Checking prerequisites...
        Checking http port [80]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration...  Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _internal _introspection _telemetry _thefishbucket fortinet history main summary
        Done
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunk/splunk-7.2.0-8c86330ac18-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done


Waiting for web server at http://127.0.0.1:80 to be available... Done


If you get stuck, we're here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://ubuntu18

[email protected]:/opt/splunk/bin# 

不幸的是,那些命令不能回收空间。您必须等到那些指数年龄超时。

经过 jonny.

发表评论