I wanted a better solution for parsing and analyzing all the log files on my ClearOS system (6.5.0 Final Community). I have not found an Open Source solution that is as easy to install and use as Splunk. I am not in any way associated with Splunk but I have deployed or recommended it at several client sites. Splunk is an extremely capable tool for aggregating and indexing log files, and then querying and analyzing them. I wasn't sure how hard it would be to get it all working on a ClearOS server but it turned out to be quite easy. I provide the instructions here with the necessary caveats:
1. Though fairly easy to use, Splunk is quite feature rich and may be overwhelming at first. Spend time on the website reading documentation before installing and using.
2. If your ClearOS system is in any way critical to you, company, users, customers... Then be sure to play with Splunk in a sandbox environment first.
3. These instructions worked for 6.5.0 Final Community and that is the only place I tested it.
4. Splunk indexing does require system resources. On my system I saw a slight increase in average cpu/load. If your system doesn't have a lot of spare cpu and I/O cycles now, don't install Splunk on it. Maybe consider putting Splunk on a separate server. Splunk supports running on one server and pulling log files from and agent on target servers.)I installed it directly on my ClearOS server.
5. Splunk has a free license that supports up to 500MB of log files indexed per day. My total /var/log directory produces maybe 50 or 60MB per day and not all of this is configured in Splunk so I stay well below the license limit. Make sure you review the terms of the free license and are in compliance.
6. These instructions install Splunk as root. If you'd rather use a different user, like user splunk, be sure and read the instructions (and cautions) for doing so in the installation manual at splunk.com.
7. Don't perform admin functions, like installing Splunk, if it is beyond your admin capabilities...
--- Getting the RPM
1. Go to www.splunk.com and select the Free Splunk button in the upper right corner. You can do this from a Windows or MAC device, or even an IOS iPad as I did.
2. Select Free Download.
3. Select the appropriate Linux RPM distribution. In my case this was splunk-6.2.1-245427-linux-2.6-x86_64.rpm .
4. You will need to create an account at Splunk and will be prompted to do so.
5. Once you are set with an account continue to the download page. Once the download starts you can immediately kill it. It is easier to just use wget from your ClearOS server. Once the download starts (which you can kill) you are redirected to a Thank You page. On the right side of that page is a link to get the necessary wget command and a button to copy. Copy the whole wget string.
6. Log into your ClearOS server as root. CD to /opt and paste and run the wget command. In my case it looked like this:
wget -O splunk-6.2.1-245427-linux-2.6-x86_64.rpm 'http://www.splunk.com/page/download_track?file=6.2.1/splunk/linux/splunk-6.2.1-245427-linux-2.6-x86_64.rpm&ac=test_modal_enterprise&wget=true&name=wget&platform=Linux&architecture=x86_64&version=6.2.1&product=splunk&typed=release'
7. If you want, run the following to make sure the package is as you expect:
yum info ./splunk-6.2.1-245427-linux-2.6-x86_64.rpm
--- Installing Splunk
1. Once the download completes install Splunk using:
yum -y localinstall splunk-6.2.1-245427-linux-2.6-x86_64.rpm
--- Running Splunk
1. Start Splunk. You can put the Splunk bin it in your PATH if you want...
/opt/splunk/bin/splunk start
2. If all went well and Splunk is up running, set it to start automatically. Or skip this step and play with it for a while and decide if you want to use it.
/opt/splunk/bin/splunk enable boot-start -user root
--- Configuring Splunk
1. Splunk starts a web server on port 8000. You can access it from a LAN browser using the following where server.local.lan is how you access your ClearOS server from the LAN or the IP address.
http://server.local.lan:8000/
2. From your browser you can now add local log files to index and perform search querie or realtime long viewings. Most stuff of interest is in /var/log.
--- Reboot Test
1. Reboot your ClearOS server and make sure it and Splunk come up clean.
--- Notes
Do not use thr rpm command to install the Splunk rpm. Using yum ensures the yum package database is consistent and all dependencies are resolved.
There are tutorials and help built into the app to assist you at each step along the way once you are in the browser.
There are also tutorials, FAQs, and other documents at splunk.com and other sites if you need some additional help.
Make sure when adding log files that you select the proper type so dates and indexing are correct.
Start querying your logs in Splunk and see what your system is doing. For example search DENIED to see who is accessing nasty stuff on the Internet. Or search snort to see what nasty stuff on the Internet is trying to do to you.
Check top and see what impact Splunk is having on your system. For me it is a steady 3% of CPU.
Peter
1. Though fairly easy to use, Splunk is quite feature rich and may be overwhelming at first. Spend time on the website reading documentation before installing and using.
2. If your ClearOS system is in any way critical to you, company, users, customers... Then be sure to play with Splunk in a sandbox environment first.
3. These instructions worked for 6.5.0 Final Community and that is the only place I tested it.
4. Splunk indexing does require system resources. On my system I saw a slight increase in average cpu/load. If your system doesn't have a lot of spare cpu and I/O cycles now, don't install Splunk on it. Maybe consider putting Splunk on a separate server. Splunk supports running on one server and pulling log files from and agent on target servers.)I installed it directly on my ClearOS server.
5. Splunk has a free license that supports up to 500MB of log files indexed per day. My total /var/log directory produces maybe 50 or 60MB per day and not all of this is configured in Splunk so I stay well below the license limit. Make sure you review the terms of the free license and are in compliance.
6. These instructions install Splunk as root. If you'd rather use a different user, like user splunk, be sure and read the instructions (and cautions) for doing so in the installation manual at splunk.com.
7. Don't perform admin functions, like installing Splunk, if it is beyond your admin capabilities...
--- Getting the RPM
1. Go to www.splunk.com and select the Free Splunk button in the upper right corner. You can do this from a Windows or MAC device, or even an IOS iPad as I did.
2. Select Free Download.
3. Select the appropriate Linux RPM distribution. In my case this was splunk-6.2.1-245427-linux-2.6-x86_64.rpm .
4. You will need to create an account at Splunk and will be prompted to do so.
5. Once you are set with an account continue to the download page. Once the download starts you can immediately kill it. It is easier to just use wget from your ClearOS server. Once the download starts (which you can kill) you are redirected to a Thank You page. On the right side of that page is a link to get the necessary wget command and a button to copy. Copy the whole wget string.
6. Log into your ClearOS server as root. CD to /opt and paste and run the wget command. In my case it looked like this:
wget -O splunk-6.2.1-245427-linux-2.6-x86_64.rpm 'http://www.splunk.com/page/download_track?file=6.2.1/splunk/linux/splunk-6.2.1-245427-linux-2.6-x86_64.rpm&ac=test_modal_enterprise&wget=true&name=wget&platform=Linux&architecture=x86_64&version=6.2.1&product=splunk&typed=release'
7. If you want, run the following to make sure the package is as you expect:
yum info ./splunk-6.2.1-245427-linux-2.6-x86_64.rpm
--- Installing Splunk
1. Once the download completes install Splunk using:
yum -y localinstall splunk-6.2.1-245427-linux-2.6-x86_64.rpm
--- Running Splunk
1. Start Splunk. You can put the Splunk bin it in your PATH if you want...
/opt/splunk/bin/splunk start
2. If all went well and Splunk is up running, set it to start automatically. Or skip this step and play with it for a while and decide if you want to use it.
/opt/splunk/bin/splunk enable boot-start -user root
--- Configuring Splunk
1. Splunk starts a web server on port 8000. You can access it from a LAN browser using the following where server.local.lan is how you access your ClearOS server from the LAN or the IP address.
http://server.local.lan:8000/
2. From your browser you can now add local log files to index and perform search querie or realtime long viewings. Most stuff of interest is in /var/log.
--- Reboot Test
1. Reboot your ClearOS server and make sure it and Splunk come up clean.
--- Notes
Do not use thr rpm command to install the Splunk rpm. Using yum ensures the yum package database is consistent and all dependencies are resolved.
There are tutorials and help built into the app to assist you at each step along the way once you are in the browser.
There are also tutorials, FAQs, and other documents at splunk.com and other sites if you need some additional help.
Make sure when adding log files that you select the proper type so dates and indexing are correct.
Start querying your logs in Splunk and see what your system is doing. For example search DENIED to see who is accessing nasty stuff on the Internet. Or search snort to see what nasty stuff on the Internet is trying to do to you.
Check top and see what impact Splunk is having on your system. For me it is a steady 3% of CPU.
Peter
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »