放一段介绍,
Splunk是一款功能强大,功能强大且完全集成的软件,用于实时企业日志管理,可收集,存储,搜索,诊断和报告任何日志和机器生成的数据,包括结构化,非结构化和复杂的多行应用程序日志。 它允许您以可重复的方式快速,可重复地收集,存储,索引,搜索,关联,可视化,分析和报告任何日志数据或机器生成的数据,以识别和解决操作和安全问题。
此外,splunk还支持各种日志管理用例,例如日志整合和保留,安全性,IT操作故障排除,应用程序故障排除以及合规性报告等等;
Splunk目前是日志分析领域的领跑者,没有之一
主要特点
- 它易于扩展和完全集成;
- 支持本地和远程数据源;
- 允许索引机器数据;
- 支持搜索和关联任何数据;
- 允许您向下钻取和向上钻取数据;
- 支持监控和警报;
- 还支持用于可视化的报告和仪表板;
- 提供对关系数据库的灵活访问,以逗号分隔值( .CSV )文件或其他企业数据存储(如Hadoop或NoSQL)的字段分隔数据;
- 支持各种日志管理用例等等;
安装,2条命令就搞定
wget -O splunk.rpm 'https://download.splunk.com/products/splunk/releases/8.0.5/linux/splunk-8.0.5-a1a6394cc5ae-linux-2.6-x86_64.rpm'
yum -y install splunk.rpm
启动,设置用户名密码
/opt/splunk/bin/splunk start
接下来提示几步,设置下用户名密码:
Do you agree with this license? [y/n]: y
This appears to be your first time running this version of Splunk.
Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.
**Please enter an administrator username: splunk**
Password must contain at least:
● 8 total printable ASCII character(s).
**Please enter a new password:
Please confirm new password:**
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
...+++++
.................................................................................................................................+++++
e is 65537 (0x10001)
writing RSA key
Generating RSA private key, 2048 bit long modulus
..+++++
......+++++
e is 65537 (0x10001)
writing RSA key
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Splunk> All batbelt. No tights.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Creating: /opt/splunk/var/lib/splunk
Creating: /opt/splunk/var/run/splunk
Creating: /opt/splunk/var/run/splunk/appserver/i18n
Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunk/var/run/splunk/upload
Creating: /opt/splunk/var/run/splunk/search_telemetry
Creating: /opt/splunk/var/spool/splunk
Creating: /opt/splunk/var/spool/dirmoncache
Creating: /opt/splunk/var/lib/splunk/authDb
Creating: /opt/splunk/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunk/etc/auth'.
Checking critical directories... Done
Checking indexes...
Validated: audit internal introspection metrics metrics_rollup telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-8.0.5-a1a6394cc5ae-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Generating a RSA private key
.........................................................................................................................................+++++
.............+++++
writing new private key to 'privKeySecure.pem'
Signature ok
subject=/CN=prs-slave/O=SplunkUser
Getting CA Private Key
writing RSA key
Done
[ OK ]
Waiting for web server at http://127.0.0.1:8000 to be available... Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at **http://linux-host:8000**
以TCP syslog格式测试
登录http://splunk-host:8000端口, 输入设置的用户名密码
选择添加数据
选择TCP/UDP端口侦听
选择TCP(UDP一样的配置)
1, 要侦听的TCP/UDP端口- 我这里选择5144(可以任意)
2, 数据来源名称覆盖 - 不配置就获取来源具体IP, 等会儿界面筛选会用到, 配置了就显示配置的值
3,仅接受来自……的连接- 类似安全策略吧,为了防止谁都可以发
输入设置
来源类型
splunk内置了大部分常见的日志模板,可以选择对应的直接用
内置常见的数据模板
_json
access_combined
apache_error
catalina
cisco:asa
collectd_http
csv
db2_diag
dmesg
generic_single_line
iis
json_no_timestamp
linux_audit
linux_messages_syslog
linux_secure
log2metrics_csv
log2metrics_json
log2metrics_keyvalue
log4j
log4net_xml
log4php
mcollect_stash
metrics_csv
mysql_slow
mysqld
mysqld_bin
mysqld_error
postfix_syslog
procmail
psv
ruby_on_rails
sendmail_syslog
snort
statsd
syslog
tsv
weblogic_stdout
websphere_activity
websphere_core
websphere_trlog
windows_snare_syslog
为了测试我这里选择新建一个类别TEST1
新建一个索引保存
检查
完成
准备测试数据
准备几
条NGINX访问测试数据
Nov 22 20:07:04 linux-master nginx: nginx: configuration file /etc/nginx/nginx.conf test is successful
Nov 22 20:08:04 linux-master nginx: nginx: configuration file /etc/nginx/nginx.conf test is ok
Nov 22 20:09:04 linux-master nginx: nginx: configuration file /etc/nginx/nginx.conf test is error
在机器上连接下splunk机器的5144端口( 我这里选择的同一台机器,所以输入的127.0.0.1)
在splunk界面上就可以看到接收过来的数据了
提取数据-格式化提取字段
选中数据样例-提取字段
选择正则表达式提取
选中要提取的字段,设置最终显示的字段名称
会看到自动显示了提取字段splunk生成的正则表达式,最下面也有其他数据的提取效果
选择下面的is_success可以看到提取后的统计信息
保存提取规则
查看效果
点击左侧刚配置的Search & Reporting
可以看到右边已经拿到事件了
在搜索框中,就可以按照新定义的字段进行搜索
结束
至此,一个常用的SYSLOG接收数据DEMO就跑完了,如果需要更多字段解析就再配置提取规则就行了,其他类别的日志解析也是一样的步骤,后续的统计报表和关联分析也基本类似