Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # @Title: 2SH2IDX_Setup
- # @Purpose: copy and paste-able instructions
- # @Date: 01-18-2018
- # @Author: Patrick Hastings
- # @Notes: Rinse and repeat for each Server.
- ############# Server Update and my text editor of personal choice #####
- sudo yum update -y
- sudo yum install nano -y && sudo yum update -y
- # ------------------------------------------------------
- ############### RHEL SPLUNK INSTALL #####################
- wget -O splunk-7.0.1-2b5b15c4ee89-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.1&product=splunk&filename=splunk-7.0.1-2b5b15c4ee89-linux-2.6-x86_64.rpm&wget=true'
- sudo rpm -i splunk-
- export SPLUNK_HOME=/opt/splunk/
- sudo su
- chown -R splunk:splunk /opt/splunk
- # cd /opt/splunk/bin
- cd /opt/splunk/bin && ./splunk start --accept-license
- ./splunk edit user admin -password PASSWORD -role admin -auth admin:changeme
- /opt/splunk/bin/splunk enable boot-start -user splunk
- shutdown -r 0
- # on search heads ONLY...If AWS, USE PRIVATE IP!
- sudo ./splunk add search-server <intended IDX1 | IDX2 ip>:8089 -auth admin:PASSWORD -remoteUsername admin -remotePassword PASSWORD
- ############## Useful for reloading deploy and restarting splunk ##########
- /opt/splunk/bin/splunk restart
- /opt/splunk/bin/splunk reload deploy-server
- # add search-server adds search-peers (indexers) to search from
- # ------------------------------------------------------
- ############### Verifying who is running Splunk ###############
- cd ~
- sudo su
- sudo su splunk
- #logging in as splunk...
- chown -R splunk:splunk /opt/splunk
- # ps reports a snapshot of the current processes
- # grep returns strings matching the param pattern(string in this case)
- ps -eaf | grep splunk
- # check for who is running splunk(what user)
- # ------------------------------------------------------
- ### IF PASSWORD NEED RESET FOR SPLUNK....
- # rename the password to passwd.bak for backup purposes....
- mv /opt/splunk/etc/passwd /opt/splunk/etc/passwd.BAK
- cd /opt/splunk/bin && ./splunk restart
- # restart splunk so it can check for that file and create a new passwd file
- # ------------------------------------------------------
- ##### Other Useful Tidbits ######
- cd /opt/splunk/bin && ./splunk restart
- # ---------------------
- # if same hostname because using AMI...
- # Changes hostname
- #enter role and number
- sudo nano /etc/sysconfig/network
- sudo reboot
- hostname
- # confirm hostname value is different
- # Combining the dumb stuff I have to paste 4x times.....
- sudo su && cd/opt/splunk/bin
- hostname -v PH-Dist01.localhost.com
- sudo hostname -b PH-IDX02.local
- nano /opt/splunk/etc/system/local/server.conf
- # ---------------------
- # Expanding the File system after EBS expansion
- sudo file -s /dev/xvd*
- # list file system data for analysis
- lsblk
- # list the block devices attached to your instance
- df -h
- # report existing disk space used
- # recommended by AWS Team....but if using an AMI from them it automatically does this on reboot
- sudo growpart /dev/xvdf 1
- lsblk
- # confirm changes now
- df -h
- # ------------------------------------------------------
- ######### editing inputs for configuration to change HOST in Splunk ##########
- sudo su
- nano /opt/splunk/etc/system/local/inputs.conf
- # switch your ip from last known to current actual ip
- # -------------------------------------------------------
- ######## Cleaning event data ###########
- cd /opt/splunk/bin/ && ./splunk stop
- ./splunk clean eventdata
- # fishbucket will error out, clean it the old fashioned way
- rm -r /opt/splunk/var/lib/splunk/fishbucket/.*
- shutdown -r 0
- ######## Environment variable ########
- export SPLUNK_HOME=/opt/splunk
- export PATH=$SPLUNK_HOME/bin:$PATH
- export -p
- ######## Verifying groups ##########
- groups splunk
- ######### Moving a file over SFTP ############
- scp -C -i FILE /Users/patrickhastings/Downloads/base_configurations/PH_all_deploymentclient.zip ec2-user@54.190.40.11:~
- ######### Once on server for deployment app run these commands ##########
- ######### Removing coloring of ls command ###########
- unalias ls
- ########## See history of last commands run #############
- history
- ########### Follow file changes ###############
- tail -f /path/to/file/fileName.txtHere
- sudo tail -f /opt/splunk/var/log/splunk/splunkd.log
- ########### Getting process information #########
- ps
- # ps is process status
- # -a is display information about other users processes including those without terminals
- # -e is i a tag for the same thing as A.
- # -f displays the UID, PID, parent PID, recent CPU usage, process start time, controlling tty, elapsed CPU usage, and associated command
- exit
- sudo su
- sudo su splunk
- sudo chown -R splunk:splunk /opt/splunk
- /opt/splunk/bin/splunk start
- ########## Creating Deployment Server ##############
- # 1. Move Deployment and Forwarder output files to deployment server
- scp -C -i FILE.pem /Users/patrickhastings/Temp/hw2/base_configurations\ 2/PH_all_deploymentclient.zip ec2-user@34.215.181.210:~
- scp -C -i FILE.pem /Users/patrickhastings/Temp/hw2/base_configurations\ 2/PH_all_forwarder_outputs.zip ec2-user@34.215.181.210:~
- # 2. Move the apps, on the deployment server, to apps deployment
- unzip PH_all_deploymentclient && sudo mv PH_all_deploymentclient /opt/splunk/etc/apps
- unzip PH_all_forwarder_outputs
- sudo mv PH_all_deploymentclient /opt/splunk/etc/apps
- sudo su splunk
- /opt/splunk/bin/splunk restart
- sudo mv PH_all_forwarder_outputs /opt/splunk/etc/deployment-apps
- sudo mv PH_all_deploymentclient /opt/splunk/etc/deployment-apps
- sudo /opt/splunk/bin/splunk restart
- exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement