Skip to main content

Splunk Cheat Sheet (Linux)

1. set root's password: 

sudo su
passwd root
Enter new UNIX password: <new_root_password>
Retype new UNIX password: <new_root_password>
passwd: password updated successfully
# su -

2. Remove any existing Splunk directories & create user etc:

# rm -rf /opt/splunkforwarder
# userdel -r splunk # this will remove as above if user splunk's home directory
# groupadd siem
# useradd -g siem -s /bin/bash -d /home/siem -m siem # vi ~/.profile

# chage -I -1 -m -0 -M -99999 -E -1 siem

If above fails because of multiple passwd fails: # pam_tally --reset
check with #chage -l siem

# uname -a # check OS version
# dpkg -i splunk-4.3.1...........intel.deb
# chown -R siem:siem /opt/splunk
# su - siem
: $SPLUNK_HOME/bin/splunk start --accept-license
: $SPLUNK_HOME/bin/splunk edit user admin -password newpassword -role admin -auth admin:changeme

3. vi ~/.profile (as follows) (OR .bash_profile)

# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022


# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
    . "$HOME/.bashrc"
    fi
fi



SPLUNK_HOME=/opt/splunk
export SPLUNK_HOME

SPLUNK_BIN=/opt/splunk/bin
export SPLUNK_BIN

SPLUNK_DB=/IndexedData/HotWarm
export SPLUNK_DB


# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi


PATH=$PATH:$SPLUNK_BIN
export PATH

invoke with: 
# source ~/.profile OR source ~/.bash_profile
# env

4. root# mkdir /IndexedData/...../IndexedData/HotWarm

Then # chown -R siem:siem /IndexedData

5. Reset Splunk Admin password

mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak
splunk restart and Admin password reset to changeme.

6. Read the Splunk bucket timestamps

e.g. /IndexedData/HotWarm/_internaldb/db/db_1354400065_1354385978_1
to convert epoch: date -ud @1354385978
Sat Dec  1 18:19:38 UTC 2012

7. Splunk btool - check all inputs.conf components

siem@geoff-arc:/opt/splunk/bin$ splunk cmd btool inputs list --debug
siem@geoff-arc:/opt/splunk/bin$ splunk cmd btool inputs list --debug | grep "\["




8. $SPLUNK_HOME/etc/log.cfg - splunkd.log contents
e.g. deploymentclient = DEBUG (change from WARN for more)
  tcpoutputprocessing = DEBUG (change from WARN for more)

9. More $SPLUNK_BIN commands

splunk enable app SplunkForwarder
splunk disable app SplunkLightForwarder
splunk add forward-server 192.168.1.10:9997
splunk remove forward-server
splunk list monitor (need to be splunk Admin to see logs monitored)
splunk set deploy-poll 192.168.1.11:8089 -auth admin:password
splunk enable listen port -auth username:password
splunk enable boot-start -user siem ( as root)
splunk enable deploy-client -auth admin:password
splunk list deploy-clients (on deployment server - asks for admin PW)
splunk list licenser-messages
splunk list licenser-slaves
splunk reload deploy-server (after changing deployment server app)
splunk status
splunk disable webserver
splunk enable webserver 

10. Misc 

For any changes to $SPLUNK_HOME/etc/system/local files e.g. serverclass.conf to take effect, splunk must be restarted (as siem)

If splunk install files are installed from inside /opt/splunk, the resulting 'splunk' directory structure needs to be moved up a level with # mv splunk /* . Then delete install .gz and splunk directory.

index = main username = * clienti p= * | stats dc(clientip) as ipaddresses values(clientip) by username | where ipaddresses>1

index = main username = geoff  clientip = * | lookup geoip clientip

/bin/cp /opt/splunk/etc/system/local/*.conf /home/siem/splunk

11. License Usage

Search as Admin for daily License volumes in GB over last fortnight (evaluated at mid day):

index=_internal source=*license_usage.log type=RolloverSummary earliest=-14d | eval GB = b/1024/1024/1024 | eval _time = _time -43200 | timechart span=1d sum(GB) AS "Total GB Used"

12. SSH No Login

Add the following to /etc/ssh/sshd_config:
#Block local functional account from ssh
DenyUsers siem

service sshd resart # Linux
svcadm resart network/ssh # Solaris

13 Error Messages

Checking prerequisites...
    Checking mgmt port [8089]: already bound
ERROR: The mgmt port [8089] is already bound.  Splunk needs to use this port.
Would you like to change ports? [y/n]: n




root@master-indexer:/opt# lsof -i TCP:8089
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
splunkd 1157 root    4u  IPv4   5618      0t0  TCP *:8089 (LISTEN)

root@master-indexer:/opt# kill -9 1157

Then splunk restart.

14. Useful Linux Commands

ps -ef | grep splunk or | grep 8000 # will show siem users processes
ps -ef | grep -i syslog # syslog process running
netstat -an | grep 514 # is port 514 open?

OR to display all established, recently terminated, and listening TCP and UDP network connections along with the program name related to each socket:


netstat -anp | grep -e tcp -e udp 
 
free -m # memory available
df # free hard disc totals
df - H # check mount points
du IndexedData #directory size
fuser . # shows all processes using file/dir
find . -name outputs.conf # find all instances of outputs.conf from current dir down
find . type f -exec grep -l "192.168.2.10" {} \; # all instances of ip from here down
cat > /etc/init.d/splunk # create file, ctrl d to save and exit
cat >> audit.log # append a test line to audit log, ctrl d to exit
telnet 192.168.2.11 8089 # check route

OR
nmap -Pn -n -sS -p 19000-19003  -T 5 86.162.8.18

sed -i s/INFO/WARN/g $SPLUNK_HOME/etc/log.cfg #Stop splunk sending INFO logging
awk < /etc/passwd -F: '{print $6}' #use : delimiter & list home dir of users
cat /etc/group # show users in (wheel) group

Comments

Kyle said…
Like your list.

Some things I use in Splunk.


find splunk_home/etc/apps/* -type d -exec chmod 755 {} +

find splunk_home/etc/apps/* -type f -exec chmod 444 {} +

#change write for local and lookup
find splunk_home/etc/apps/*/lo*/* -type f -exec chmod 644 {} +

#dont forget the bin file in the nix TA
find splunk_home/etc/apps/Splunk_TA_nix/bin/* -type f -exec chmod 744 {} +

Popular posts from this blog

Digital Bandpass Filter FIR design - Python

The python code generates the Finite Impulse Response (FIR) filter coefficients for a lowpass filter (LPF) at 10 (Hz) cut off using firwin from scipy.  A highpass filter is then created by subtracting the lowpass filter output(s) from the output of an allpass filter. To do this the coefficients of the LPF are multiplied by -1 and 1 added to the centre tap (to create the allpass filter with subtraction). A second LPF is then created with a cutoff at 15 (Hz) and the bandpass filter formed by addition of the LPF and HPF coefficients. The program also generates a test sine wave of a given amplitude and power and to this noise from a Normal distribution is added.  The graph below shows the signal and nois, and the signal (green) after filtering. The input snr is approximately 3dB. The frequency response below shows the passband centered on 12.5 (Hz), the Nyquist frequency is 50 (Hz). from numpy import cos, sin, pi, absolute, arange from numpy.random import normal fr...

GNU Radio Waterfall and CW Filter

The following GNU radio application adds a waterfall spectrogram to the previous CW filter program. The plot show 4 CW signals in the audio band (lower sideband) at 7023 kHz. The 700Hz signal is filtered and output to the laptop headphones by the CW bandpass filter. The frequency display is shown after the script which is as follows: #!/usr/bin/env python from gnuradio import gr from gnuradio import audio from lpf_bpf_class import Bandpass from gnuradio.qtgui import qtgui from PyQt4 import QtGui import sys, sip     class cw_filter(gr.top_block):     def __init__(self):         gr.top_block.__init__(self)           sample_rate = 44100         out_rate = 8000         kaiser = Bandpass()         cw_flr = gr.fir_filter_fff(1, kaiser.bpftaps)         decimate = int...

Norton Wideband HF pre-amp

The 20m vertical antenna looks good, VSWR < 1.3 : 1 but RX might be a bit deaf. RX details: 1dB antenna cable loss: + 14MHz to 144MHz SBL-1 mixer (straight 6dB loss) :+ IC 202 144MHz receiver (8dB NF). Hence total receive noise figure is at least 15dB. Built a Norton HF preamp (2n5109) to try and improve situation. (Is this necessary given the noise level at 14MHz? see following. Photo below shows the circuit and the measured cbe voltages resulting from a 13.9v supply. First audible results were however not particularly impressive. The dominant noise is the external noise? and this is in excess of any receiver contribution - even at 15dB noise fugure? But I will look into this and quantify the position. OK, this is a simple circuit and the 50 ohm output load is transformed by the broadband auto transformer to the collector load. The actual turns ratio used was 3 to the tap and then 11 to the collector. The turns ratio is then 14/3 or 4.6 which is the voltage transformation. ...