■「Splunk Universal Forwarder」for Windows7x64を導入してみる。
Splunk Universal Forwarder
http://www.splunk.com/en_us/download/universal-forwarder.html
$ md5sum < splunkforwarder-6.3.1-f3e41e4b37b2-x64-release.msi
bd413faf595eb4385b2a63bafaf51683 -
■Windows7x64にIISサーバ、Telnetサーバをインストール
$ telnet 192.168.152.129
C:\Users\labunix>chcp 65001
C:\Users\labunix>C:\Users\labunix>net user labunix | findstr "Memberships"
Local Group Memberships *Administrators *TelnetClients
C:\Users\labunix>systeminfo | findstr "^OS"
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
C:\Users\labunix>netstat -an | findstr ":80"
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 192.168.152.129:49189 72.246.190.58:80 SYN_SENT
TCP [::]:80 [::]:0 LISTENING
C:\Users\labunix>dir c:\inetpub\logs\LogFiles\W3SVC1\u_ex151118.log
Volume in drive C has no label.
Volume Serial Number is 787F-EF24
Directory of c:\inetpub\logs\LogFiles\W3SVC1
2015/11/18 22:54 907 u_ex151118.log
1 File(s) 907 bytes
0 Dir(s) 51,384,545,280 bytes free
■「c:\inetpub\logs\LogFiles\W3SVC1」ディレクトリを転送対象とする。
C:\Users\labunix>cd desktop
C:\Users\labunix\Desktop>dir s*
Volume in drive C has no label.
Volume Serial Number is 787F-EF24
Directory of C:\Users\labunix\Desktop
2015/11/18 22:42 54,448,128 splunkforwarder-6.3.1-f3e41e4b37b2-x64-release.msi
1 File(s) 54,448,128 bytes
0 Dir(s) 51,384,520,704 bytes free
■GUIインストーラでインストール。
C:\Users\labunix\Desktop>net start | findstr /i "splunk"
SplunkForwarder Service
C:\Users\labunix\Desktop>sc query | findstr /i "splunk"
SERVICE_NAME: SplunkForwarder
DISPLAY_NAME: SplunkForwarder Service
C:\Users\labunix\Desktop>tasklist | findstr /i "splunk"
splunkd.exe 2680 Services 0 51,840 K
C:\Users\labunix\Desktop>netstat -ano | findstr "2680"
TCP 0.0.0.0:8089 0.0.0.0:0 LISTENING 2680
■Debian jessieの[設定]->[分散管理]->[フォワーダー管理]の
[クライアント]タブで、ホスト名が一覧にあることを確認。
Splunk評価版をdebパッケージでインストールしてみた。
http://labunix.hateblo.jp/entry/20151118/1447785292
■Debian jessieの[設定]->[転送と受信]
[データの受信]で[9997]で待受ステータスが[有効]になっていること。
$ sudo find /opt/splunk/etc/ -type f -name "*conf" -print | sudo grep "\:8089\|\:9997" `xargs`
/opt/splunk/etc/modules/distributedDeployment/classes/deployable/outputs.conf:server=YourDeploymentServerHostname:9997
/opt/splunk/etc/system/default/web.conf:mgmtHostPort = 127.0.0.1:8089
$ sudo netstat -anp | awk '/^tcp.*splunk/ && !/127.0.0.1/'
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 7207/splunkd
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 7207/splunkd
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 7207/splunkd
tcp 0 0 172.31.31.60:8089 172.31.31.90:39294 ESTABLISHED 7207/splunkd
tcp 0 0 172.31.31.60:8000 172.31.31.90:56650 ESTABLISHED 7207/splunkd
tcp 0 0 172.31.31.60:8000 172.31.31.90:56644 ESTABLISHED 7207/splunkd
tcp 0 0 172.31.31.60:8000 172.31.31.90:56651 ESTABLISHED 7207/splunkd
tcp 0 0 172.31.31.60:8000 172.31.31.90:56645 ESTABLISHED 7207/splunkd
tcp 0 0 172.31.31.60:9997 172.31.31.90:36187 ESTABLISHED 7207/splunkd
tcp 0 0 172.31.31.60:8000 172.31.31.90:56646 ESTABLISHED 7207/splunkd
tcp 0 0 172.31.31.60:8000 172.31.31.90:56647 ESTABLISHED 7207/splunkd
■Windows7のSplunk Universal Forwarder側も確認
C:\Users\labunix>tasklist | findstr /i "splunk"
splunkd.exe 2920 Services 0 55,344 K
C:\Users\labunix>netstat -aon | findstr "2920"
TCP 0.0.0.0:8089 0.0.0.0:0 LISTENING 2920
TCP 192.168.152.129:49165 172.31.31.60:9997 ESTABLISHED 2920
C:\Users\labunix>findstr "^11-19-2015.22:56.*172" "c:\Program Files\SplunkUniver
salForwarder\var\log\splunk\metrics.log"
11-19-2015 22:56:24.987 +0900 INFO Metrics - group=tcpout_connections, name=def
ault-autolb-group:172.31.31.60:9997:0, sourcePort=8089, destIp=172.31.31.60, des
tPort=9997, _tcp_Bps=257.77, _tcp_KBps=0.25, _tcp_avg_thruput=0.26, _tcp_Kproces
sed=2388, _tcp_eps=0.17, kb=7.55
11-19-2015 22:56:55.984 +0900 INFO Metrics - group=tcpout_connections, name=def
ault-autolb-group:172.31.31.60:9997:0, sourcePort=8089, destIp=172.31.31.60, des
tPort=9997, _tcp_Bps=280.90, _tcp_KBps=0.27, _tcp_avg_thruput=0.26, _tcp_Kproces
sed=2396, _tcp_eps=0.23, kb=8.23
■[サーチ]で[GET]等の一般的なHTTPメソッドで検索できることを確認して完了。
