0x00 linux
tar -zxvf splunkforwarder-8.0.3-a6754d8441bf-Linux-x86_64.tgz -C /opt
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd <password>
mkdir -p /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local
cat > /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local/deploymentclient.conf<<EOF
[deployment-client]
[target-broker:deploymentServer]
targetUri = ds_ip:8089
EOF
/opt/splunkforwarder/bin/splunk restart
/opt/splunkforwarder/bin/splunk enable boot-start
如果想修改默认端口:
tar -zxvf splunkforwarder-8.0.3-a6754d8441bf-Linux-x86_64.tgz -C /opt
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd <password>
mkdir -p /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local
cat > /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local/deploymentclient.conf<<EOF
[deployment-client]
[target-broker:deploymentServer]
targetUri = ds_ip:8089
EOF
/opt/splunkforwarder/bin/splunk start
cat > /opt/splunkforwarder/etc/system/local/web.conf<<EOF
[settings]
mgmtHostPort = 127.0.0.1:18888
EOF
/opt/splunkforwarder/bin/splunk restart
/opt/splunkforwarder/bin/splunk enable boot-start
如果想在agent增加一个自定义配置:
tar -zxvf splunkforwarder-8.0.3-a6754d8441bf-Linux-x86_64.tgz -C /opt
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd <password>
mkdir -p /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local
cat > /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local/deploymentclient.conf<<EOF
[deployment-client]
[target-broker:deploymentServer]
targetUri = ds_ip:8089
EOF
#mkdir -p /opt/splunkforwarder/etc/apps/yourcompany_linux_firewall_inputs/local
#cat > /opt/splunkforwarder/etc/apps/yourcompany_linux_firewall_inputs/local/inputs.conf<<EOF
#[monitor:///var/log/firewalld.log]
#disabled=0
#index = yourcompany_linuxfirewalllog
#EOF
/opt/splunkforwarder/bin/splunk restart
/opt/splunkforwarder/bin/splunk enable boot-start
0x01 windows
msiexec -i splunkforwarder-8.0.3-a6754d8441bf-x64-release.msi SPLUNKUSERNAME=admin SPLUNKPASSWORD=<pass> AGREETOLICENSE=Yes /quiet
set "path1=%programfiles%\SplunkUniversalForwarder\etc\apps\yourcompany_all_deploymentclient\local"
mkdir "%path1%" & echo. > "%path1%\deploymentclient.conf" & echo [deployment-client] > "%path1%\deploymentclient.conf" & echo [target-broker:deploymentServer] >> "%path1%\deploymentclient.conf" & echo targetUri = ds_ip:8089 >> "%path1%\deploymentclient.conf"
::set "path2=%programfiles%\SplunkUniversalForwarder\etc\apps\yourcompany_nginx\local"
::mkdir "%path2%" & echo [monitor://C:\logs\access.log] > "%path2%\inputs.conf" & echo index = yourcompany_nginx >> "%path2%\inputs.conf" & echo sourcetype = nginx:plus:access >> "%path2%\inputs.conf" & echo crcSalt = ^<SOURCE^> >> "%path2%\inputs.conf"
0x02 后记
1、如果密码设置过于简单,会导致密码不通过验证,由于是 /quiet 会导致看不到报错,部署失败导致无法上线DS。
2、如果linux主机名未设置,保持为默认的 localhost,则会导致linux机器无法上线DS。
3、根据实际分析网络情况,例如我的环境有些windows电脑未加域,防火墙开启,ip被拦截。
需要手动添加防火墙规则:
netsh firewall show state
netsh advfirewall firewall add rule name="splunk" dir=out action=allow protocol=TCP remoteip=<ds_ip> remoteport=8089
然后重启agent即可。
版权归原作者 leeezp 所有, 如有侵权,请联系我们删除。