Splunk_Standard_Logo_Large

Splunk is a software package for sending logs from a variety of server types or devices to a centralised repository for the ability to do searching, monitoring and analyzing of big data using a web style interface console.

This Example

In this example I will be installing Splunk version 6.0 on a virtualised Linux Debian Wheezy distribution using the deb package.

Assumptions

The following assumptions are taken prior to installation:

  • A fresh copy of Linux Debian Wheezy is installed
  • Debian Wheezy is fully patched
  • A network connection is present
  • A connection can be established to the internet
  • No firewall restrictions are in place (port 8000 specifically)

Procedure

Downloading Splunk

Installing Splunk

Start Splunk

Auto Start Splunk

Connect to Splunk

  1. Open a web browser
  2. Connect to http://<serverip>:8000
Splunk First Screen

Create Syslog Receiver

Settings > Data > Data inputs

Splunk Data Inputs

Under “TCP” click on “Add New”

Splunk Data Inputs TCP Add New

TCP Port = 514
Accept Connections from all hosts? = yes
Set sourcetype = From List
Select source type from list = syslog
Click SaveSplunk Data Inputs TCP Add New TCP 514

Do the same but set up UDP

Syslog from Cisco

In this example I am going to log absolutely everything from the Cisco device to the Splunk server. When selecting a logging level you get the log level and up so for example if I use 4 (warnings) I get logs from warnings, errors, critical, alerts and emergencies.

0 emergency
1 alerts
2 critical
3 errors
4 warnings
5 notifications
6 informational
7 debugging

Rsyslog from Linux

Add the following to the end of /etc/rsyslog.conf

Change “@splunk” to the server name

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.