splunk转发器安装

in 日志分析 with 0 comment

上篇文章讲了如何安装一台splunk服务器,仅仅安装了服务端,只能搜集服务器端的日志数据,而在企业生产环境中,我们往往需要监控多台服务器上面的日志文件等。因此就需要安装一个客户端,在这里叫做splunk转发器,而服务器端通过配置接收器,进行数据接收,实现分析监控多台客户端的需求。

splunk服务器IP:198.46.145.77

splunk客户端IP:111.38.12.126

splunk接收器配置

./splunk enable listen 9997 –auth<username>:<password>

                (Username默认为splunk web登陆用户名)

                (Password默认为splunk web登陆密码)

#./splunk enable listen 9997 –auth admin:changme

splunk 转发器安装

1.下载
#wget http://download.splunk.com/products/splunk/releases/6.3.2/universalforwarder/linux/splunkforwarder-6.3.2-aaff59bb082c-Linux-x86_64.tgz
2.解压安装
tar zxf splunkforwarder-6.3.2-aaff59bb082c-Linux-x86_64.tgz 
mv splunkforwarder /home/software/splunkforwarder
mkdir /home/software
mv splunkforwarder /home/software/splunkforwarder
cd /home/software/splunkforwarder
./bin/splunk start         (启动服务)
#./bin/splunk enbale boot-start    (自启动服务)
ps aux | grep splunk
root 21925 0.2 0.2 295448 38852 ? Sl Jan18 2:17 splunkd -p 8089 start
root 21926 0.0 0.0 57752 4136 ? Ss Jan18 0:00 [splunkd pid=21925] splunkd -p 8089 start [process-runner]
root 28416 0.0 0.0 103256 856 pts/1 S+ 10:26 0:00 grep splunk
3.配置转发器
cd bin/
ps aux | grep splunk
./splunk add forward-server 198.46.145.77:9997
./splunk add forward-server 198.46.145.77:9997 -auth admin:changeme
./splunk list forward-server
./splunk add monitor /home/logs/access.log    (添加监控日志)
./splunk add monitor /home/logs/cache.log      (同上)

完成上述配置,就可以在浏览器里搜索了!

创建固定索引

#指定固定索引收集日志,需在splunk服务器上事先创建好索引squid

      ./splunk add monitor /var/log/squid –index squid

      #这样做完基本ok了,但是在提取字段的时候异常麻烦,所以我们要指定下sourcetype的固定名称,方便搜索

      cd /home/software/splunkforwarder/etc/apps/search/local

      vim inputs.conf

        sourcetype=squid

      /home/software/splunkforwarder/bin/splunk restart

Responses