splunk常用命令及配置
Linux常用命令:
//查看系统
cat /etc/redhat-release
//抓包命令
tcpdump -i ens160 dst host 192.168.1.1 and tcp port 22
//windows抓包
netsh trace start capture=yes traceFile="c:\\snmp.etl" overwrite=yes correlation=no protocol=udp ipv4.address=xxx.xxx.xxx.xxx
netsh trace stop
splunk常用命令:
//配置环境变量
source /opt/splunk/bin/setSplunkEnv
//第一次启动splunk
$SPLUNK_HOME/bin/splunk start --accept-license
//数据转发
$SPLUNK_HOME/bin/splunk list forward-server
$SPLUNK_HOME/bin/splunk add forward-server xxx.xxx.xxx.xxx:9997
//配置部署服务器
$SPLUNK_HOME/bin/splunk show deploy-poll
$SPLUNK_HOME/bin/splunk set deploy-poll xxx.xxx.xxx.xxx:8089
$SPLUNK_HOME/bin/splunk disable deploy-client
$SPLUNK_HOME/bin/splunk disable deploy-server
//设置开机启动
$SPLUNK_HOME/bin/splunk enable boot-start
$SPLUNK_HOME/bin/splunk disable boot-start
$SPLUNK_HOME/bin/splunk display boot-start
//配置监控文件路径
$SPLUNK_HOME/SplunkUniversalForwarder/bin/splunk add monitor “文件路径” -index main -sourcetype vpn
//检查配置
$SPLUNK_HOME/bin/splunk btool --debug inputs list monitor:///var/log
$SPLUNK_HOME/bin/splunk btool --debug inputs list monitor
//检查input状态
$SPLUNK_HOME/bin/splunk list inputstatus
//重新索引
$SPLUNK_HOME/bin/splunk cmd btprobe -d $splunk/var/lib/splunk/fishbucket/splunk_private_db --
file /opt/log/vmail/iis_vmail2.log --reset
//查看配置
$SPLUNK_HOME/bin/splunk show config inputs
//查看端口
$SPLUNK_HOME/bin/splunk show web-port
$SPLUNK_HOME/bin/splunk show splunkd-port
$SPLUNK_HOME/bin/splunk show servername
$SPLUNK_HOME/bin/splunk show default-hostname
//修改密码
$SPLUNK_HOME/bin/splunk edit user admin -oldpassword xxx -password xxx
//刷新配置
wget https://localhost:8089/services/data/inputs/monitor/_reload --post-data '' --no-check-certificate --user xx --password xxx -O -
//刷新搜索时配置
http://localhost:8000/en-US/debug/refresh
//查询配置修改
index=_configtracker sourcetype=splunk_configuration_change
//查询修配置修改人
index=_audit sourcetype=audittrail savedsearch_name="xxx"
splunk常用配置:
//创建索引
[test_index]
homePath = $SPLUNK_DB/test_index/db
coldPath = $SPLUNK_DB/test_index/colddb
thawedPath = $SPLUNK_DB/test_index/thaweddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
maxTotalDataSizeMB = 512000
frozenTimePeriodInSecs = 15552000
//轨发数据 outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://192.168.1.2:9997]
[tcpout-server://192.168.1.3:9997]
[tcpout:default-autolb-group]
disabled = false
server = 192.168.1.2:9997, 192.168.1.3:9997
//接收指定IP的数据
[udp://xxx.xxx.xxx.xxx:514]
persistentQueueSize=100MB
connection_host = ip
index = xxx
sourcetype = xxxx
//配置脚本输入数据
[script://$SPLUNK_HOME/etc/apps/xxx/bin/device.sh]
disabled = false
index = snmp
interval = 60.0
sourcetype = snmp
或
interval = 0 1 * * *
sourcetype = _json
//配置监控文件
[monitor:///opt/log/log4.txt]
disabled = false
index = xxx
source = xxx.xxx.xxx.xxx:514
sourcetype = xxx
//查看系统
cat /etc/redhat-release
//抓包命令
tcpdump -i ens160 dst host 192.168.1.1 and tcp port 22
//windows抓包
netsh trace start capture=yes traceFile="c:\\snmp.etl" overwrite=yes correlation=no protocol=udp ipv4.address=xxx.xxx.xxx.xxx
netsh trace stop
splunk常用命令:
//配置环境变量
source /opt/splunk/bin/setSplunkEnv
//第一次启动splunk
$SPLUNK_HOME/bin/splunk start --accept-license
//数据转发
$SPLUNK_HOME/bin/splunk list forward-server
$SPLUNK_HOME/bin/splunk add forward-server xxx.xxx.xxx.xxx:9997
//配置部署服务器
$SPLUNK_HOME/bin/splunk show deploy-poll
$SPLUNK_HOME/bin/splunk set deploy-poll xxx.xxx.xxx.xxx:8089
$SPLUNK_HOME/bin/splunk disable deploy-client
$SPLUNK_HOME/bin/splunk disable deploy-server
//设置开机启动
$SPLUNK_HOME/bin/splunk enable boot-start
$SPLUNK_HOME/bin/splunk disable boot-start
$SPLUNK_HOME/bin/splunk display boot-start
//配置监控文件路径
$SPLUNK_HOME/SplunkUniversalForwarder/bin/splunk add monitor “文件路径” -index main -sourcetype vpn
//检查配置
$SPLUNK_HOME/bin/splunk btool --debug inputs list monitor:///var/log
$SPLUNK_HOME/bin/splunk btool --debug inputs list monitor
//检查input状态
$SPLUNK_HOME/bin/splunk list inputstatus
//重新索引
$SPLUNK_HOME/bin/splunk cmd btprobe -d $splunk/var/lib/splunk/fishbucket/splunk_private_db --
file /opt/log/vmail/iis_vmail2.log --reset
//查看配置
$SPLUNK_HOME/bin/splunk show config inputs
//查看端口
$SPLUNK_HOME/bin/splunk show web-port
$SPLUNK_HOME/bin/splunk show splunkd-port
$SPLUNK_HOME/bin/splunk show servername
$SPLUNK_HOME/bin/splunk show default-hostname
//修改密码
$SPLUNK_HOME/bin/splunk edit user admin -oldpassword xxx -password xxx
//刷新配置
wget https://localhost:8089/services/data/inputs/monitor/_reload --post-data '' --no-check-certificate --user xx --password xxx -O -
//刷新搜索时配置
http://localhost:8000/en-US/debug/refresh
//查询配置修改
index=_configtracker sourcetype=splunk_configuration_change
//查询修配置修改人
index=_audit sourcetype=audittrail savedsearch_name="xxx"
splunk常用配置:
//创建索引
[test_index]
homePath = $SPLUNK_DB/test_index/db
coldPath = $SPLUNK_DB/test_index/colddb
thawedPath = $SPLUNK_DB/test_index/thaweddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
maxTotalDataSizeMB = 512000
frozenTimePeriodInSecs = 15552000
//轨发数据 outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://192.168.1.2:9997]
[tcpout-server://192.168.1.3:9997]
[tcpout:default-autolb-group]
disabled = false
server = 192.168.1.2:9997, 192.168.1.3:9997
//接收指定IP的数据
[udp://xxx.xxx.xxx.xxx:514]
persistentQueueSize=100MB
connection_host = ip
index = xxx
sourcetype = xxxx
//配置脚本输入数据
[script://$SPLUNK_HOME/etc/apps/xxx/bin/device.sh]
disabled = false
index = snmp
interval = 60.0
sourcetype = snmp
或
interval = 0 1 * * *
sourcetype = _json
//配置监控文件
[monitor:///opt/log/log4.txt]
disabled = false
index = xxx
source = xxx.xxx.xxx.xxx:514
sourcetype = xxx
//提取字段
props.conf
REPORT-waf_request_header = waf_request_header
transforms.conf
[waf_request_header]
REGEX="([^"]*)"="([^"]*)"
SOURCE_KEY=request_header
FORMAT=$1::$2
[xx]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_FORMAT = %b %d %H:%M:%S
category = Custom
pulldown_type = true
SHOULD_LINEMERGE = true