■「Splunk Universal Forwarder」for Windows7x64を導入してみる。 Splunk Universal Forwarder http://www.splunk.com/en_us/download/universal-forwarder.html $ md5sum < splunkforwarder-6.3.1-f3e41e4b37b2-x64-release.msi bd413faf595eb4385b2a63bafaf51683 - ■Windows7x64にIISサーバ、Telnetサーバをインストール $ telnet 192.168.152.129 C:\Users\labunix>chcp 65001 C:\Users\labunix>C:\Users\labunix>net user labunix | findstr "Memberships" Local Group Memberships *Administrators *TelnetClients C:\Users\labunix>systeminfo | findstr "^OS" OS Name: Microsoft Windows 7 Enterprise OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free C:\Users\labunix>netstat -an | findstr ":80" TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 192.168.152.129:49189 72.246.190.58:80 SYN_SENT TCP [::]:80 [::]:0 LISTENING C:\Users\labunix>dir c:\inetpub\logs\LogFiles\W3SVC1\u_ex151118.log Volume in drive C has no label. Volume Serial Number is 787F-EF24 Directory of c:\inetpub\logs\LogFiles\W3SVC1 2015/11/18 22:54 907 u_ex151118.log 1 File(s) 907 bytes 0 Dir(s) 51,384,545,280 bytes free ■「c:\inetpub\logs\LogFiles\W3SVC1」ディレクトリを転送対象とする。 C:\Users\labunix>cd desktop C:\Users\labunix\Desktop>dir s* Volume in drive C has no label. Volume Serial Number is 787F-EF24 Directory of C:\Users\labunix\Desktop 2015/11/18 22:42 54,448,128 splunkforwarder-6.3.1-f3e41e4b37b2-x64-release.msi 1 File(s) 54,448,128 bytes 0 Dir(s) 51,384,520,704 bytes free ■GUIインストーラでインストール。 C:\Users\labunix\Desktop>net start | findstr /i "splunk" SplunkForwarder Service C:\Users\labunix\Desktop>sc query | findstr /i "splunk" SERVICE_NAME: SplunkForwarder DISPLAY_NAME: SplunkForwarder Service C:\Users\labunix\Desktop>tasklist | findstr /i "splunk" splunkd.exe 2680 Services 0 51,840 K C:\Users\labunix\Desktop>netstat -ano | findstr "2680" TCP 0.0.0.0:8089 0.0.0.0:0 LISTENING 2680 ■Debian jessieの[設定]->[分散管理]->[フォワーダー管理]の [クライアント]タブで、ホスト名が一覧にあることを確認。 Splunk評価版をdebパッケージでインストールしてみた。 http://labunix.hateblo.jp/entry/20151118/1447785292 ■Debian jessieの[設定]->[転送と受信] [データの受信]で[9997]で待受ステータスが[有効]になっていること。 $ sudo find /opt/splunk/etc/ -type f -name "*conf" -print | sudo grep "\:8089\|\:9997" `xargs` /opt/splunk/etc/modules/distributedDeployment/classes/deployable/outputs.conf:server=YourDeploymentServerHostname:9997 /opt/splunk/etc/system/default/web.conf:mgmtHostPort = 127.0.0.1:8089 $ sudo netstat -anp | awk '/^tcp.*splunk/ && !/127.0.0.1/' tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 7207/splunkd tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 7207/splunkd tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 7207/splunkd tcp 0 0 172.31.31.60:8089 172.31.31.90:39294 ESTABLISHED 7207/splunkd tcp 0 0 172.31.31.60:8000 172.31.31.90:56650 ESTABLISHED 7207/splunkd tcp 0 0 172.31.31.60:8000 172.31.31.90:56644 ESTABLISHED 7207/splunkd tcp 0 0 172.31.31.60:8000 172.31.31.90:56651 ESTABLISHED 7207/splunkd tcp 0 0 172.31.31.60:8000 172.31.31.90:56645 ESTABLISHED 7207/splunkd tcp 0 0 172.31.31.60:9997 172.31.31.90:36187 ESTABLISHED 7207/splunkd tcp 0 0 172.31.31.60:8000 172.31.31.90:56646 ESTABLISHED 7207/splunkd tcp 0 0 172.31.31.60:8000 172.31.31.90:56647 ESTABLISHED 7207/splunkd ■Windows7のSplunk Universal Forwarder側も確認 C:\Users\labunix>tasklist | findstr /i "splunk" splunkd.exe 2920 Services 0 55,344 K C:\Users\labunix>netstat -aon | findstr "2920" TCP 0.0.0.0:8089 0.0.0.0:0 LISTENING 2920 TCP 192.168.152.129:49165 172.31.31.60:9997 ESTABLISHED 2920 C:\Users\labunix>findstr "^11-19-2015.22:56.*172" "c:\Program Files\SplunkUniver salForwarder\var\log\splunk\metrics.log" 11-19-2015 22:56:24.987 +0900 INFO Metrics - group=tcpout_connections, name=def ault-autolb-group:172.31.31.60:9997:0, sourcePort=8089, destIp=172.31.31.60, des tPort=9997, _tcp_Bps=257.77, _tcp_KBps=0.25, _tcp_avg_thruput=0.26, _tcp_Kproces sed=2388, _tcp_eps=0.17, kb=7.55 11-19-2015 22:56:55.984 +0900 INFO Metrics - group=tcpout_connections, name=def ault-autolb-group:172.31.31.60:9997:0, sourcePort=8089, destIp=172.31.31.60, des tPort=9997, _tcp_Bps=280.90, _tcp_KBps=0.27, _tcp_avg_thruput=0.26, _tcp_Kproces sed=2396, _tcp_eps=0.23, kb=8.23 ■[サーチ]で[GET]等の一般的なHTTPメソッドで検索できることを確認して完了。