Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mshilston
mshilston
Path Finder
Member since:
04-11-2017
10-16-2020
Community Statistics
| Posts | 17 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 04-11-2017 |
Activity Feed
- Karma Re: Cisco ASA Add-in and getting data in... for xpac. 06-05-2020 12:49 AM
- Karma Re: Combine search head and indexer in a cluster? for martin_mueller. 06-05-2020 12:48 AM
- Karma Re: Combine search head and indexer in a cluster? for hsesterhenn_spl. 06-05-2020 12:48 AM
- Posted VMware Syslog to Splunk via Kiwi on All Apps and Add-ons. 06-04-2018 08:53 AM
- Tagged VMware Syslog to Splunk via Kiwi on All Apps and Add-ons. 06-04-2018 08:53 AM
- Tagged VMware Syslog to Splunk via Kiwi on All Apps and Add-ons. 06-04-2018 08:53 AM
- Tagged VMware Syslog to Splunk via Kiwi on All Apps and Add-ons. 06-04-2018 08:53 AM
- Posted Re: Cisco ASA Add-in and getting data in... on All Apps and Add-ons. 05-15-2018 05:36 AM
- Posted Re: Cisco ASA Add-in and getting data in... on All Apps and Add-ons. 05-14-2018 11:57 PM
- Posted Cisco ASA Add-in and getting data in... on All Apps and Add-ons. 05-14-2018 08:26 AM
- Tagged Cisco ASA Add-in and getting data in... on All Apps and Add-ons. 05-14-2018 08:26 AM
- Tagged Cisco ASA Add-in and getting data in... on All Apps and Add-ons. 05-14-2018 08:26 AM
- Posted Re: Splunk TA Add-ins on All Apps and Add-ons. 04-19-2018 08:19 AM
- Posted Splunk TA Add-ins on All Apps and Add-ons. 04-19-2018 07:53 AM
- Tagged Splunk TA Add-ins on All Apps and Add-ons. 04-19-2018 07:53 AM
- Posted Re: Where to add a file monitor input to monitor a Syslog log and where would it be best to define the input and associated index? on All Apps and Add-ons. 02-06-2018 12:10 AM
- Posted Re: Where to add a file monitor input to monitor a Syslog log and where would it be best to define the input and associated index? on All Apps and Add-ons. 02-02-2018 03:15 AM
- Posted Where to add a file monitor input to monitor a Syslog log and where would it be best to define the input and associated index? on All Apps and Add-ons. 02-01-2018 06:46 AM
- Tagged Where to add a file monitor input to monitor a Syslog log and where would it be best to define the input and associated index? on All Apps and Add-ons. 02-01-2018 06:46 AM
- Tagged Where to add a file monitor input to monitor a Syslog log and where would it be best to define the input and associated index? on All Apps and Add-ons. 02-01-2018 06:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-04-2018
08:53 AM
Hi All,
I've read a few threads about this but am not finding the answer to my specific issue so am posting here.
My vCenter (VCSA) and all ESXi hosts are currently outputting Syslog to a Kiwi Syslog server which is writing the stream out to a folder set split by host.
I've downloaded the Splunk Add-in for VMware placed the Splunk_TA_vcenter and Splunk_TA_esxilogs in the /etc/apps folder of the Kiwi servers UF directory.
Under Splunk_TA_vcenter I have created a /local/inputs.conf and set up a [monitor] stanza to monitor the folder the ESXi logs are being written to. This was modified from an example in the default folder...
[monitor://c:\syslogd\logs\esxiserver1]
disabled = 0
index = vmware_syslog
sourcetype = syslog
If I look at the data in Splunk, the 'host' field is wrong as it appears to relate to the Syslog level i.e. "User.Info". I can correct this by adding a 'host' field to the monitor stanza, but I'm not sure if this is the best way?
Also, I'm not sure if the sourcetype is correct as the example in copied from the default folder specifies a sourcetype of cvlog. Should I be using that or syslog?
In addition to the above, the log format in Kiwi is set to Kiwi format ISO yyyy-mm-dd (Tab delimited). I can't see any documentation that recommends a specific format for use with Splunk so have just used this as the default.
In terms of the Splunk_TA_esxilogs inputs, the only example assumes a TCP or UDP stream. Am I able to just set up a monitor stanza as before? I'm thinking now that the Kiwi log format is quite important as it will differ from a direct TCP stream if is adding bits to the file.
My goal at this stage is just to have data correctly ingested into Splunk but I'm not sure I've achieved this yet.
Any advice welcome,
M
... View more
05-15-2018
05:36 AM
Thanks xpac, that is really helpful advice.
... View more
05-14-2018
11:57 PM
OK thanks,
So just to I'm clear, it would be acceptable to create an /local/inputs.conf within the App structure and monitor files so long as I define the correct sourcetype within the monitor stanza?
Or would it be considered against best practice to modify a pre-built Apps structure? In this case would it be better to create a new app?
M
... View more
05-14-2018
08:26 AM
Hi All,
I'm looking at configuring inputs for the Cisco ASA add-on on my UF as per;
HERE
My understanding was that the best practice was to send any Syslog streams to a Syslog server and then read the resulting output files with a file monitor.
This seems to suggest you just sent directly to Splunk.
How can I set up this add-in to use an inputs.conf file containing appropriate file monitors? Is that supported?
Many thanks!
M
... View more
04-19-2018
08:19 AM
OK, thanks for responsing to this.
I can certainly see the pitfalls and I think you've made a good case here for not doing what I'm suggesting with inputs.conf files. I have perhaps misunderstood some advise I received on extracting things like the outputs.conf and indexes.conf into custom Apps. I suppose these are likely to be more common throughout a deployment...
M
... View more
04-19-2018
07:53 AM
Hi All,
I've recently been looking at Splunk again after a few months away and have decided to look at using some TA add-ins.
I understand in order to work the configuration files in a more managable way it is possible to extract (for example) the inputs.conf from several TA add-ins and combine in a custom app.
Say for example I have the Splunk_TA_Windows add-in and the Splunk_TA_Cisco, both have an indexes.conf so rather than distributing two differnt files I could create an 'indexes' App and combine all settings in one file.
Is that also possible with the inputs.conf file? Are there any issues breaking out input files from their original bundle into new Apps or should they be kept with their source files generally ?
Thanks in advance,
M
... View more
- Tags:
- splunk-enterprise
02-06-2018
12:10 AM
Quick update:
I've got a situation now where I've installed the Splunk_TA_windows app on my Search Head, Indexers and Forwarders. That is, each instance has the full Splunk_TA_windows folder located under /etc/apps/ and then I've copied an 'inputs.conf' and 'indexes.conf' into the /local/ folder under the App and edited the index location and enabled the inputs.
I have also created a Syslog app, named Splunk_TA_syslog and placed that in the /etc/apps/ folder.
I know have files in multiple places;
- /etc/apps/Splunk_TA_windows/local/indexes.conf (to define WIndows indexes)
- /etc/apps/Splunk_TA_windows/local/inputs.conf (to define Windows inputs)
- /etc/apps/Splunk_TA_syslog/local/indexes.conf (to define syslog Indexes)
- /etc/apps/Splunk_TA_syslog/local/inputs.conf (to define syslog inputs)
But also;
- /etc/system/local/outputs.conf (to define global outputs for instances)
- /etc/system/local/server.conf (to define global SSL settings)
I've been basically defining what I consider 'global' settings within the system/local folders and app based settings at the app folder level. Is that correct? It is best practice?
... View more
02-02-2018
03:15 AM
OK thanks, so it sounds like most inputs are best configured via an App folder - I know the highest weighted values are in the system/local folder, it's more my understanding of when and when not to use this location!
... View more
02-01-2018
06:46 AM
Hi,
I have a best practice question around index creation.
I'm planning on having data come from both Windows Event Logs and Syslog sources.
The Splunk_TA_windows addon nicely compartmentalizes the index and input config files that are required in a folder.
If I then wanted to add a file monitor input to monitor a Syslog log, where would it be best to define the input and associated index? I know it will work if I put the required config files in etc/system/local but should I be looking to create an app folder or the like?
Many thanks,
M
... View more
02-01-2018
01:38 AM
OK, so after digging around it appears that it was indexing correctly, just that it wasn't re-reading old event logs due to the following files being present;
$SPLUNK_HOME\var\lib\splunk\modinputs\WinEventLog\
Once I cleared these out everything started working as expected 🙂
... View more
01-31-2018
08:19 AM
Hi All,
I've been thinking for some time that I am not getting the performance I should be out of my Splunk setup and I'd like some advice for troubleshooting.
Currently, I have a single Search Head, which is searching across two Indexers (non-clustered) and a few Universal Forwarders.
They are all VMs, but with 4vCPUs and 10GB RAM and are idle most of the time. Forgetting the complete setup for now, I am focusing on a test which involved me stopping the services on Indexer 1 and clearing the indexes on it, including the fishbuket index.
I have three inputs for Event Logs;
- Application log going to an 'application' index
- Security log going to a 'security' index
- System log going to a 'system' index
All indexes are defined in the indexes.conf
I have configued the inputs.conf to collect local event logs on Indexer 1, so when I restart the services I expect it to start filling up the three indexes I have defined from the local Event Logs of the same name. This does happen, but really slowly - I think it Indexed about 300 Event Logs in 45 minutes.
Does anyone have any idea why this would be slow and how I might troubleshoot it?
Many thanks!
M
... View more
04-20-2017
08:16 AM
Thanks koshyk,
To clarify, DCA will contain an active set of Splunk services that are replicated to the secondary. Without going into details, the whole solution will just come up and work in DC2 in the event of failure.
I suppose what I'm interested in is the ability of Splunk Enterprise Indexer clusters to forward and the benefit of doing this over having Heavy Forwarders configured. I understand a Heavy Forwarder is a Splunk Enterprise instance that can do everything except distributed search. By that I understand the built in Search Head could not search other Indexers elsewhere, presumably because a Heavy Forwarder is designed to run as an 'all in one' component. Is that correct?
Can you cluster Heavy Forwarders?
Noted around 3rd party dependency. I would impliment a syslog server in this case.
Thanks for your help,
M
... View more
04-19-2017
03:55 AM
Hi,
I'm hoping for some advice as I'm trying to understand the best way to configure Splunk components in the scenario below.
I have two Datacentres (DC) that operate as Active / Passive. Datacentre A (DCA) will be the active DC running all services and within it I will have a few hundred Windows machines with Universal Forwarders installed.
My current plan is to create an Indexer cluster consisting of two Indexers; not to share load but allow increased processing. There will then be a single standalone Search Head and a single cluster Master instance giving me a total of 4 separate machines in DCA.
I understand this is the first way to start scaling out, so in the future it would be easy to add more Indexers or move to a Search Head cluster if required. I think given the volume I am expecting to process I would be following a Splunk 'Small Enterprise' deployment.
The first bit I am unclear on is around forwarding from this cluster. If I wanted the Indexing cluster in DCA to forward data onto a 3rd party SOC for example, is that possible? I think where I'm getting confused is having read that an Indexer that forwards is actually a 'Heavy Forwarder', not an Indexer. Can an Indexer clusterer forward too?
If this is possible, it answers my second question. I want to mirror the DCA setup in a branch office that might have a poor link. If the link went down, could the Splunk Indexer cluster be configured to continue processing data locally and forward it onto DCA when it was back online?
Originally, I was thinking I would just use a Heavy Forwarder in a branch office, but that was because it seemed to me like Indexer clusters could not forward data.
I'm just not sure if I need a Heavy Forwarder or an Indexer cluster for this setup. I assume you can't cluster Heavy Forwarders so there would be processing constraints there?
Many thanks!
M
... View more
04-12-2017
08:44 AM
Thanks Holger,
I think initially I'm looking at the 4 server deployment above; Index Cluster with two nodes, one Master Node and one Search Head. This seems suitable for initial volumes and we can scale out later.
I will certainly look at engaging the professional services as I progress with this.
M
... View more
04-12-2017
04:00 AM
OK thanks, so that would be 7 servers in total then.
I assume if I didn't cluster the Indexes it would be 6?
... View more
04-12-2017
02:08 AM
Thanks garethatiag,
Following further reading and having considered again the requirements for what I am trying to achieve, I think I would want to have a resilient search head cluster after all.
I'm looking at this topology now; http://docs.splunk.com/File:SH_cluster_single_site_indexer.png
In this case, I think I am looking at the following;
- 1 x Deployer
- 3 x Search Heads
- 2 x Indexers
- 200+ Universal Forwarders
So... 6 servers?
Only thing I'm not clear on is if I need a separate 'Master Node' for the Indexers as shown, or can one of my two 'Indexers' act as the master node?
Thanks again!
M
... View more
04-11-2017
05:56 AM
Hi,
I'm hoping someone can help me to understand if the following is possible with Splunk Enterprise as I'm just learning about the various components for a design I'm writing.
The environment I'm working with will have around 100 Windows VMs initially, growing to 200+, probably across a few domains. There will also be networking devices to support that infrastructure which we want to be able to collect logs from as well.
We are going to have two sites (active / passive) and I have two virtual servers in each site assigned to Splunk, although the DR site will be a standby. I'm trying to work with these two VMs without requesting more, although it may be possible to add more.
From what I've read, I think I would be looking at a Data Consolidation topology i.e. multiple universal forwarders pushing data to an indexer / search server. If I wanted to consider high availability options within a single site, I might want to cluster the indexers, but as I only have two servers I'm wondering if it's possible to create a two node cluster hosting both the search and indexing roles?
I don't think this is possible, as under the 'Cluster Nodes' guidance, it states that "Master nodes, peer nodes, and search heads are all specialized Splunk Enterprise instances. All nodes must reside on separate instances and separate machines." - this looks to me like I wouldn't be able to have a cluster with just two servers regardless.
The other option I'm looking at would be to have one server as an Indexer and one as a search / indexer. Forwarders could then get data into the Indexers from the 100+ VMs.
We do have DR options available and will be backing up, so high availability is not necessarily required and could be added later with increased demand.
I suppose the questions are;
1) Is a clustering solution possible with two servers, or what would the minimum number of servers be? Could it be done with 3; two indexers and one search head, or would I need to have a seperate Master Node as well?
2) Am I right in thinking that if I had one server as an Indexer and one as an Indexer / search server, if the dedicated Indexer went down, the results would be incomplete? Furthermore, if the search server went down search would therefore be totally unavaiiable?
3) Is it possible to have two servers running as both Indexers and Search servers, or would I need a search head to manage both indexers in this case?
Many thanks!
M
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-16-2020
04:01 AM
|
