* To configure you need- install splunk on a host server (splunk-7.3.1-linux-2

1. * To configure you need
2. - install splunk on a host server (splunk-7.3.1-linux-2.6-amd64.deb)
3. - Install a forwarded client on the client (Splunk forwarder) that will send the data to the splunk server
4. (splunkforwarder-7.2.4-8a94541dcfac-linux-2.6-amd64.deb)
5.  
6. - Configure the Client to send data to splunk
7. - Open ports on splunk server
8.  
9.  
10. --------------------
11.  
12.  
13. Download Splunk forwarder
14. https://www.splunk.com/en_us/download/sem.html
15.  
16. Installation
17. https://docs.splunk.com/Documentation/Splunk/7.2.3/Installation/InstallonLinux#Debian_.DEB_installation
18.  
19.  
20. On the rundeck side you have to install the UF (Universal Forwarder),
21. that what he does is take the logs that you configure and send them to Splunk
22.  
23. In Splunk after installed, you have to configure the APIs that are the ones that will check logs
24.  
25. 1.- Splunk forwarded in Rundeck
26. 2.- Configure SSL (optional)
27. deb -> keytool -keystore / etc / rundeck / ssl / keystore -alias rundeck -genkey -keyalg RSA -keypass adminadmin -storepass adminadmin
28. keytool -importkeystore -srckeystore / etc / rundeck / ssl / keystore -destkeystore / etc / rundeck / ssl / keystore -deststoretype pkcs12
29. cp keystore truststore
30. vim / etc / default / rundeckd
31. export RUNDECK_WITH_SSL = true
32. export RDECK_HTTPS_PORT = 4443
33. Set framework.properties and rundeck-config.properties for https port 4443
34. 3.- Check Timezone (in splunk and rundeck)
35. deb -> timedatectl
36. sudo timedatectl set-timezone America / Santiago
37.  
38. 4.- Install Splunk Forwarder (on rundeck server)
39. sudo dpkg -i splunkforwarder-7.2.4-8a94541dcfac-linux-2.6-amd64.deb
40.  
41.  
42. 5. Setup the `inputs.conf` and` outputs.conf` files
43. 5.1. Copy the example `local` directory from Splunk Server` SPLUNK_HOME / etc / apps / rundeck_app / forwarder_config` to your UF's in Rundeck Server SPLUNK_HOME / etc / apps / search directory
44.  
45. 5.2. Replace placeholders
46. 5.2.1. `inputs.conf` (vim /opt/splunk/etc/apps/search/local/inputs.conf)
47. * host (to match what you specified in the app's setup page). For a cluster, use the cluster address in the host field.
48.  
49.  
50. Copy the folder from the splunk server to the rundeck server
51. # scp / opt / splunk / etc / apps / rundeck_app / forwarder_config / local user @ inspiron: / opt / splunkforwarder / etc / apps / search /
52.  
53. vim /opt/splunkforwarder/etc/apps/search/local/inputs.conf
54. host = inspiron
55.  
56. HERE SET EVERYTHING THAT SAYS MONITOR TO THE PATH WITH THE FILES.
57. / home / rundeck / instances / 3021_cluster / server / logs
58.  
59. / var / log / rundeck /
60.  
61. * log paths, if these are different to the examples (which are the Rundeck defaults)
62.  
63. Vim replacement
64. :% s / var \ / log \ / rundeck / home \ / rundeck \ / instances \ / 3021_cluster \ / server \ / logs / g
65.  
66. :% s / 3021_cluster / 310_snapshot_fix_notifications /
67.  
68.  
69.  
70. Example: replace all matches in the file that have
71. var / log / rundeck and change it to rundeck / instances
72.  
73. :% s / var \ / log \ / rundeck / rundeck \ / instances / g
74.  
75.  
76.  
77. :% s / yourrundeck.com / inspiron / g
78.  
79. * index, if using a different index to the default of `main`
80.  
81. 5.2.2. `outputs.conf`
82.  
83. vim /opt/splunkforwarder/etc/apps/search/local/outputs.conf
84. * your Splunk server host / IP and receiving port
85.  
86. 6. Restart the UF
87. https://docs.splunk.com/Documentation/Splunk/7.2.5/Search/Savingsearches
88. sudo / opt / splunkforwarder / bin / splunk stop
89.  
90. Add the forwarded (run on rundeck server)
91. / opt / splunkforwarder / bin / splunk add forward-server servidorsplunk: 9997
92.  
93. Start forwarder
94. sudo / opt / splunkforwarder / bin / splunk start
95.  
96. Check connection to splunk server from forwarded (rundeck)
97. sudo / opt / splunkforwarder / bin / splunk list forward-server
98.  
99.  
100. Splunk Server
101. 1.- Install Splunk Software
102. sudo dpkg -i <splunk_enterprise>
103. cd / opt / splunk / bin
104.  
105.  
106. 2.- Start Splunk Server
107. sudo ./splunk start
108. Enable receiver (https://docs.splunk.com/Documentation/Splunk/7.1.2/Forwarding/Enableareceiver)
109.  
110. vim /opt/splunk/etc/system/local/inputs.conf
111. [splunktcp: // 9997]
112. disabled = 0
113. restart splunk
114.  
115. / opt / splunk / bin / splunk stop
116.  
117. / opt / splunk / bin / splunk start
118.  
119. Check port 9997
120. Check listening ports (Ubuntu)
121. start splunk
122. sudo netstat -plnt
123. tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 19025 / splunkd
124. tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 19025 / splunkd
125.  
126. *** Open firewall for splunk in centos7
127. firewall-cmd --get-active-zones
128. firewall-cmd --zone = public --add-port = 9997 / tcp --permanent
129.  
130. firewall-cmd --zone = public --add-port = 8088 / tcp --permanent
131.  
132. firewall-cmd --reload
133.  
134.  
135. Give log files permissions
136.  
137. chmod 664 / home / rundeck / instances / 3021_cluster / server / logs / *
138.  
139.  
140. Create tokens for rundeck
141. > settings> data input
142.  
143. in the notification plugin Open port 8088
144.  
145.  
146. Open splunk in
147.  
148. serplorsplunk: 8000