splunk常用命令及配置

2019-11-07 走过路过 4900 0

Linux常用命令:
//查看系统
cat /etc/redhat-release
//抓包命令
tcpdump -i ens160 dst host 192.168.1.1 and tcp port 22
//windows抓包
netsh trace start capture=yes traceFile="c:\\snmp.etl" overwrite=yes correlation=no protocol=udp ipv4.address=xxx.xxx.xxx.xxx
netsh trace stop

splunk常用命令:
 
//配置环境变量
source /opt/splunk/bin/setSplunkEnv
//第一次启动splunk
$SPLUNK_HOME/bin/splunk start --accept-license
//数据转发
$SPLUNK_HOME/bin/splunk list forward-server
$SPLUNK_HOME/bin/splunk add forward-server xxx.xxx.xxx.xxx:9997
//配置部署服务器
$SPLUNK_HOME/bin/splunk show deploy-poll
$SPLUNK_HOME/bin/splunk set deploy-poll xxx.xxx.xxx.xxx:8089
//设置开机启动
$SPLUNK_HOME/bin/splunk enable boot-start
$SPLUNK_HOME/bin/splunk disable boot-start
$SPLUNK_HOME/bin/splunk display boot-start
//配置监控文件路径
$SPLUNK_HOME/SplunkUniversalForwarder/bin/splunk add monitor “文件路径” -index main -sourcetype vpn
//检查配置
$SPLUNK_HOME/bin/splunk btool --debug inputs list monitor:///var/log
$SPLUNK_HOME/bin/splunk btool --debug inputs list monitor
//检查input状态
$SPLUNK_HOME/bin/splunk list inputstatus

//重新索引
$SPLUNK_HOME/bin/splunk cmd btprobe -d $splunk/var/lib/splunk/fishbucket/splunk_private_db --
file /opt/log/vmail/iis_vmail2.log --reset
//查看配置
$SPLUNK_HOME/bin/splunk show config inputs
//查看端口
$SPLUNK_HOME/bin/splunk show web-port
$SPLUNK_HOME/bin/splunk show splunkd-port
$SPLUNK_HOME/bin/splunk show servername
$SPLUNK_HOME/bin/splunk show default-hostname
//修改密码
$SPLUNK_HOME/bin/splunk edit user admin -oldpassword xxx -password xxx

//刷新配置
wget https://localhost:8089/services/data/inputs/monitor/_reload --post-data '' --no-check-certificate --user xx --password xxx -O -

//刷新搜索时配置
http://localhost:8000/en-US/debug/refresh


splunk常用配置:
//创建索引
[test_index]
homePath = $SPLUNK_DB/test_index/db
coldPath = $SPLUNK_DB/test_index/colddb
thawedPath = $SPLUNK_DB/test_index/thaweddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
maxTotalDataSizeMB = 512000
frozenTimePeriodInSecs = 15552000

//轨发数据 outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://192.168.1.2:9997] 
[tcpout-server://192.168.1.3:9997]

[tcpout:default-autolb-group]
disabled = false
server = 192.168.1.2:9997, 192.168.1.3:9997

//接收指定IP的数据
[udp://xxx.xxx.xxx.xxx:514]
persistentQueueSize=100MB

connection_host = ip
index = xxx
sourcetype = xxxx

//配置脚本输入数据
[script://$SPLUNK_HOME/etc/apps/xxx/bin/device.sh]
disabled = false
index = snmp
interval = 60.0
sourcetype = snmp

interval = 0 1 * * *
sourcetype = _json

//配置监控文件

[monitor:///opt/log/log4.txt]
disabled = false
index = xxx
source = xxx.xxx.xxx.xxx:514
sourcetype = xxx


//提取字段
props.conf
REPORT-waf_request_header = waf_request_header

transforms.conf
[waf_request_header]
REGEX="([^"]*)"="([^"]*)"
SOURCE_KEY=request_header
FORMAT=$1::$2

[xx]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_FORMAT = %b %d %H:%M:%S
category = Custom
pulldown_type = true
SHOULD_LINEMERGE = true


全部评论 最新评论 最早评论
还没有用户评论

联系我们

微信公众号
打赏作者