安全运维 -- splunk 一键部署agent

0x00 linux

tar -zxvf splunkforwarder-8.0.3-a6754d8441bf-Linux-x86_64.tgz -C /opt
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd <password>
mkdir -p /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local
cat > /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local/deploymentclient.conf<<EOF
[deployment-client]
[target-broker:deploymentServer]
targetUri = ds_ip:8089
EOF
/opt/splunkforwarder/bin/splunk restart
/opt/splunkforwarder/bin/splunk enable boot-start

如果想修改默认端口：

tar -zxvf splunkforwarder-8.0.3-a6754d8441bf-Linux-x86_64.tgz -C /opt
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd <password>
mkdir -p /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local
cat > /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local/deploymentclient.conf<<EOF
[deployment-client]
[target-broker:deploymentServer]
targetUri = ds_ip:8089
EOF
/opt/splunkforwarder/bin/splunk start
cat > /opt/splunkforwarder/etc/system/local/web.conf<<EOF
[settings]
mgmtHostPort = 127.0.0.1:18888
EOF
/opt/splunkforwarder/bin/splunk restart
/opt/splunkforwarder/bin/splunk enable boot-start

如果想在agent增加一个自定义配置：

tar -zxvf splunkforwarder-8.0.3-a6754d8441bf-Linux-x86_64.tgz -C /opt
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd <password>
mkdir -p /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local
cat > /opt/splunkforwarder/etc/apps/yourcompany_all_deploymentclient/local/deploymentclient.conf<<EOF
[deployment-client]
[target-broker:deploymentServer]
targetUri = ds_ip:8089
EOF
#mkdir -p /opt/splunkforwarder/etc/apps/yourcompany_linux_firewall_inputs/local
#cat > /opt/splunkforwarder/etc/apps/yourcompany_linux_firewall_inputs/local/inputs.conf<<EOF
#[monitor:///var/log/firewalld.log]
#disabled=0
#index = yourcompany_linuxfirewalllog
#EOF
/opt/splunkforwarder/bin/splunk restart
/opt/splunkforwarder/bin/splunk enable boot-start

0x01 windows

msiexec -i splunkforwarder-8.0.3-a6754d8441bf-x64-release.msi SPLUNKUSERNAME=admin SPLUNKPASSWORD=<pass> AGREETOLICENSE=Yes /quiet
set "path1=%programfiles%\SplunkUniversalForwarder\etc\apps\yourcompany_all_deploymentclient\local"
mkdir "%path1%" & echo. > "%path1%\deploymentclient.conf" & echo [deployment-client] > "%path1%\deploymentclient.conf" & echo [target-broker:deploymentServer] >> "%path1%\deploymentclient.conf" & echo targetUri = ds_ip:8089 >> "%path1%\deploymentclient.conf"
::set "path2=%programfiles%\SplunkUniversalForwarder\etc\apps\yourcompany_nginx\local"
::mkdir "%path2%" & echo [monitor://C:\logs\access.log] > "%path2%\inputs.conf" & echo index = yourcompany_nginx >> "%path2%\inputs.conf" & echo sourcetype = nginx:plus:access >> "%path2%\inputs.conf" & echo crcSalt = ^<SOURCE^> >> "%path2%\inputs.conf"

0x02 后记

1、如果密码设置过于简单，会导致密码不通过验证，由于是 /quiet 会导致看不到报错，部署失败导致无法上线DS。

2、如果linux主机名未设置，保持为默认的 localhost，则会导致linux机器无法上线DS。

3、根据实际分析网络情况，例如我的环境有些windows电脑未加域，防火墙开启，ip被拦截。

需要手动添加防火墙规则：

netsh firewall show state
netsh advfirewall firewall add rule name="splunk" dir=out action=allow protocol=TCP remoteip=<ds_ip> remoteport=8089

然后重启agent即可。