「Splunk Universal Forwarder」for Windows7x64を導入してみる。

■「Splunk Universal Forwarder」for Windows7x64を導入してみる。

　Splunk Universal Forwarder
　http://www.splunk.com/en_us/download/universal-forwarder.html

$ md5sum < splunkforwarder-6.3.1-f3e41e4b37b2-x64-release.msi 
bd413faf595eb4385b2a63bafaf51683  -

■Windows7x64にIISサーバ、Telnetサーバをインストール

$ telnet 192.168.152.129
C:\Users\labunix>chcp 65001

C:\Users\labunix>C:\Users\labunix>net user labunix | findstr "Memberships"
Local Group Memberships      *Administrators       *TelnetClients

C:\Users\labunix>systeminfo | findstr "^OS"
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free

C:\Users\labunix>netstat -an | findstr ":80"
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    192.168.152.129:49189  72.246.190.58:80       SYN_SENT
  TCP    [::]:80                [::]:0                 LISTENING

C:\Users\labunix>dir c:\inetpub\logs\LogFiles\W3SVC1\u_ex151118.log
 Volume in drive C has no label.
 Volume Serial Number is 787F-EF24

 Directory of c:\inetpub\logs\LogFiles\W3SVC1

2015/11/18  22:54               907 u_ex151118.log
               1 File(s)            907 bytes
               0 Dir(s)  51,384,545,280 bytes free

■「c:\inetpub\logs\LogFiles\W3SVC1」ディレクトリを転送対象とする。

C:\Users\labunix>cd desktop

C:\Users\labunix\Desktop>dir s*
 Volume in drive C has no label.
 Volume Serial Number is 787F-EF24

 Directory of C:\Users\labunix\Desktop

2015/11/18  22:42        54,448,128 splunkforwarder-6.3.1-f3e41e4b37b2-x64-release.msi
               1 File(s)     54,448,128 bytes
               0 Dir(s)  51,384,520,704 bytes free

■GUIインストーラでインストール。

C:\Users\labunix\Desktop>net start | findstr /i "splunk"
   SplunkForwarder Service

C:\Users\labunix\Desktop>sc query | findstr /i "splunk"
SERVICE_NAME: SplunkForwarder
DISPLAY_NAME: SplunkForwarder Service

C:\Users\labunix\Desktop>tasklist | findstr /i "splunk"
splunkd.exe                   2680 Services                   0     51,840 K

C:\Users\labunix\Desktop>netstat -ano | findstr "2680"
  TCP    0.0.0.0:8089           0.0.0.0:0              LISTENING       2680

■Debian jessieの[設定]->[分散管理]->[フォワーダー管理]の
　[クライアント]タブで、ホスト名が一覧にあることを確認。

　Splunk評価版をdebパッケージでインストールしてみた。
　http://labunix.hateblo.jp/entry/20151118/1447785292

■Debian jessieの[設定]->[転送と受信]
　[データの受信]で[9997]で待受ステータスが[有効]になっていること。

$ sudo find /opt/splunk/etc/ -type f -name "*conf" -print | sudo grep "\:8089\|\:9997" `xargs`
/opt/splunk/etc/modules/distributedDeployment/classes/deployable/outputs.conf:server=YourDeploymentServerHostname:9997
/opt/splunk/etc/system/default/web.conf:mgmtHostPort = 127.0.0.1:8089

$ sudo netstat -anp | awk '/^tcp.*splunk/ && !/127.0.0.1/'
tcp        0      0 0.0.0.0:9997            0.0.0.0:*               LISTEN      7207/splunkd    
tcp        0      0 0.0.0.0:8089            0.0.0.0:*               LISTEN      7207/splunkd    
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      7207/splunkd    
tcp        0      0 172.31.31.60:8089       172.31.31.90:39294      ESTABLISHED 7207/splunkd    
tcp        0      0 172.31.31.60:8000       172.31.31.90:56650      ESTABLISHED 7207/splunkd    
tcp        0      0 172.31.31.60:8000       172.31.31.90:56644      ESTABLISHED 7207/splunkd    
tcp        0      0 172.31.31.60:8000       172.31.31.90:56651      ESTABLISHED 7207/splunkd    
tcp        0      0 172.31.31.60:8000       172.31.31.90:56645      ESTABLISHED 7207/splunkd    
tcp        0      0 172.31.31.60:9997       172.31.31.90:36187      ESTABLISHED 7207/splunkd    
tcp        0      0 172.31.31.60:8000       172.31.31.90:56646      ESTABLISHED 7207/splunkd    
tcp        0      0 172.31.31.60:8000       172.31.31.90:56647      ESTABLISHED 7207/splunkd    

■Windows7のSplunk Universal Forwarder側も確認

C:\Users\labunix>tasklist | findstr /i "splunk"
splunkd.exe                   2920 Services                   0     55,344 K

C:\Users\labunix>netstat -aon | findstr "2920"
  TCP    0.0.0.0:8089           0.0.0.0:0              LISTENING       2920
  TCP    192.168.152.129:49165  172.31.31.60:9997      ESTABLISHED     2920

C:\Users\labunix>findstr "^11-19-2015.22:56.*172" "c:\Program Files\SplunkUniver
salForwarder\var\log\splunk\metrics.log"
11-19-2015 22:56:24.987 +0900 INFO  Metrics - group=tcpout_connections, name=def
ault-autolb-group:172.31.31.60:9997:0, sourcePort=8089, destIp=172.31.31.60, des
tPort=9997, _tcp_Bps=257.77, _tcp_KBps=0.25, _tcp_avg_thruput=0.26, _tcp_Kproces
sed=2388, _tcp_eps=0.17, kb=7.55
11-19-2015 22:56:55.984 +0900 INFO  Metrics - group=tcpout_connections, name=def
ault-autolb-group:172.31.31.60:9997:0, sourcePort=8089, destIp=172.31.31.60, des
tPort=9997, _tcp_Bps=280.90, _tcp_KBps=0.27, _tcp_avg_thruput=0.26, _tcp_Kproces
sed=2396, _tcp_eps=0.23, kb=8.23

■[サーチ]で[GET]等の一般的なHTTPメソッドで検索できることを確認して完了。
labunix's blog

labunixのラボUnix

「Splunk Universal Forwarder」for Windows7x64を導入してみる。
