Splunk is a software package for sending logs from a variety of server types or devices to a centralised repository for the ability to do searching, monitoring and analyzing of big data using a web style interface console.
In this example I will be installing Splunk version 6.0 on a virtualised Linux Debian Wheezy distribution using the deb package.
The following assumptions are taken prior to installation:
- A fresh copy of Linux Debian Wheezy is installed
- Debian Wheezy is fully patched
- A network connection is present
- A connection can be established to the internet
- No firewall restrictions are in place (port 8000 specifically)
wget -O splunk-6.0-182037-linux-2.6-amd64.deb 'http://www.splunk.com/page/download_track?file=6.0/splunk/linux/splunk-6.0-182037-linux-2.6-amd64.deb&ac=&wget=true&name=wget&platform=Linux&architecture=x86_64&version=6.0&product=splunkd&typed=release&elq=bca94a89-16b1-4f53-8e04-2424a8c7c4d1'
dpkg -i splunk-6.0-182037-linux-2.6-amd64.deb
Auto Start Splunk
Connect to Splunk
- Open a web browser
- Connect to http://<serverip>:8000
Create Syslog Receiver
Settings > Data > Data inputs
Do the same but set up UDP
Syslog from Cisco
In this example I am going to log absolutely everything from the Cisco device to the Splunk server. When selecting a logging level you get the log level and up so for example if I use 4 (warnings) I get logs from warnings, errors, critical, alerts and emergencies.
logging trap 7
logging host [splunkip] transport tcp port 514
Rsyslog from Linux
Add the following to the end of /etc/rsyslog.conf
Change “@splunk” to the server name
# Manual entry to forward to Splunk
Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.