ELK功能非常强大,但是在商业软件中有一个更为强大的产品,基本上可以实现ELK所有功能,那就是splunk。Splunk于2004年在美国旧金山成立,2012 IPO上市,是大数据业内第一个上市的企业。被誉为大数据领域的领军者之一。
Splunk做到了什么
| 用户 | 反馈 |
|---|---|
| California ISO | “通过使用Splunk,在1.5小时内,我们就可以进行完整的安全事件审查,可是就在从前,仅仅是为了在审查前找到所需的日志数据就需要花费一天半的时间。” |
| Cisco | “Splunk可以快速合并或关联异地的日志源,从而可以让我们更加精准地监测并及时做出响应,这都是从前想也想不到的。” |
| Carlson Marketing | “QSA的审计人员最热衷于Splunk,Splunk可以生成实时报表,及时追踪所有交易或用户的活动,并可以轻松地在几分钟之内显示PCI的遵从情况。” |
| Forrester IT架构和运营高级分析师 | “Splunk让世界变得简单有序。” |
splunk让世界变得简单有序,你确实是在评论一个工具而不是满天飞的超人么。
为什么有那么多人看好splunk
splunk在全球90个国家,拥有7000多个用户,在亚太的客户已高达1000个。我们的客户都在用,但是它的价格是多少呢
splunk enterprise price
splunk cloud
看了一下你也许会说这个没有要多少钱麽,但是请注意收费单位是perGB。算完之后就会发现为什么那么多人会这么看好它,因为它挣钱是如此方便,客户好像还在排着队等着送钱给它,为什么不看好呢。
免费版本
免费版本每天可以处理500M的索引,作为普通的POC或者小规模的客户需求,一般splunk的免费版本也可以满足。我们接下来就来看一下如何使用splunk.
版本信息
| 版本 | 文件名 | size |
|---|---|---|
| 6.4 | splunk-6.4.2-00f5bb3fa822-Linux-x86_64.tgz | 198M |
下载
下载地址:
| https://www.splunk.com/en_us/download/splunk-enterprise-2.html#tabs/linux |
|---|
下载之前需要先注册个用户,然后到自己的垃圾邮件夹中找到激活文件,将之激活。
解压到安装目录
[root@host34 local]# pwd
/usr/local
[root@host34 local]# ll /tmp/splunk-6.4.2-00f5bb3fa822-Linux-x86_64.tgz
-rw-r--r--. 1 root root 203257486 Aug 21 23:36 /tmp/splunk-6.4.2-00f5bb3fa822-Linux-x86_64.tgz
[root@host34 local]# tar xvpf /tmp/splunk-6.4.2-00f5bb3fa822-Linux-x86_64.tgz启动spluk
[root@host34 bin]# pwd
/usr/local/splunk/bin
[root@host34 bin]# ./splunk start
SOFTWARE LICENSE AGREEMENT
THIS SOFTWARE LICENSE AGREEMENT (“AGREEMENT”) GOVERNS THE LICENSING,
...省略
war, acts of terror, riot, acts of God or governmental action.
Do you agree with this license? [y/n]: y
This appears to be your first time running this version of Splunk.
Copying '/usr/local/splunk/etc/openldap/ldap.conf.default' to '/usr/local/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 1024 bit long modulus
..++++++
...++++++
e is 65537 (0x10001)
writing RSA key
Generating RSA private key, 1024 bit long modulus
.....................................................................++++++
....................................++++++
e is 65537 (0x10001)
writing RSA key
Moving '/usr/local/splunk/share/splunk/search_mrsparkle/modules.new' to '/usr/local/splunk/share/splunk/search_mrsparkle/modules'.
Splunk> Like an F-18, bro.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Creating: /usr/local/splunk/var/lib/splunk
Creating: /usr/local/splunk/var/run/splunk
Creating: /usr/local/splunk/var/run/splunk/appserver/i18n
Creating: /usr/local/splunk/var/run/splunk/appserver/modules/static/css
Creating: /usr/local/splunk/var/run/splunk/upload
Creating: /usr/local/splunk/var/spool/splunk
Creating: /usr/local/splunk/var/spool/dirmoncache
Creating: /usr/local/splunk/var/lib/splunk/authDb
Creating: /usr/local/splunk/var/lib/splunk/hashDb
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _thefishbucket history main summary
Done
New certs have been generated in '/usr/local/splunk/etc/auth'.
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/usr/local/splunk/splunk-6.4.2-00f5bb3fa822-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Generating a 1024 bit RSA private key
............................................++++++
...........++++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=host34/O=SplunkUser
Getting CA Private Key
writing RSA key
Done
[ OK ]
Waiting for web server at http://127.0.0.1:8000 to be available.... Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://host34:8000
[root@host34 bin]#登录画面
用如下用户登录并修改密码
| 登录用户名 | 密码 | URL |
|---|---|---|
| admin | changeme | http://16.157.245.156:8000/ |
Portal画面
自带教程,简单易学。
