Index


Overview

Splunk is a great tool for managing and interrogating data from multiple data-sources. A Splunk installation includes the ability to create and distribute instances of the Splunk Universal Forwarder, a tool that can be deployed to a data-source server and used to collect data and send data through to your Splunk server.

This document details the process required to configure a Splunk Universal Forwarder to send your Statseeker log data through to a Splunk server deployed within your environment.

[top]


Prerequisites

  • A Statseeker server
  • A Splunk server, configured to received data from a Splunk Universal Forwarder
  • A Splunk Universal Forwarder agent has been downloaded and placed on your Statseeker server

For details on acquiring, installing, and configuring a Splunk server see https://www.splunk.com

[top]


Configure the Splunk Forwarder

  • SSH into your Statseeker server as the statseeker user and then change to the root user
  • Locate the forwarder package that you previously placed on your Statseeker server
  • Install the forwarder

Example:

# su root
# cd /tmp/
# pkg add splunkforwarder-6.6.3-e21ee54bc796-freebsd-10.1-amd64.txz


  • Change directory to the binary location of the installed Splunk agent
  • Start the Splunk forwarder
Note: the forwarder will present a software license for review on first run, you can automate the acceptance of this license with the –accept-license argument

Example:

# cd /opt/splunkforwarder/bin
# ./splunk start --accept-license


  • Configure the Splunk forwarder to start whenever the Statseeker server is restarted

Example:

#./splunk enable boot-start


  • Configure the forwarder to send to the Splunk server

    Syntax: splunk add forward-server [splunk_server]:[port]

Example:

#./splunk add forward-server test122.ssdocs.wpengine.com:9997

OR

#./splunk add forward-server 10.1.44.3:9997


  • Add a monitor for each log you want to send through to Splunk

    Syntax: add monitor [source]

Example:

#./splunk add monitor /home/statseeker/base/logs/base-logd.log
#./splunk add monitor /home/statseeker/base/logs/httpd.errors
# ./splunk add monitor /home/statseeker/base/logs/httpd.access
# ./splunk add monitor /var/log/maillog


You can add additional parameters to make it easier to group and identify data sources, see Splunk’s documentation library ( http://docs.splunk.com/Documentation) for details.

You can view details on all currently configured datasources with:

#./splunk list monitor


Log Files

There are a range of logs available on a Statseeker server:
Statseeker specific logs:

  • /home/statseeker/base/logs/base-logd.log – Statseeker process logs
  • /home/statseeker/base/logs/httpd.error – Statseeker web-server errors (http)
  • /home/statseeker/base/logs/httpd.access – Statseeker web-server access logs(http)
  • /home/statseeker/base/logs/httpsd.error – Statseeker web-server errors (https)
  • /home/statseeker/base/logs/httpsd.access – Statseeker web-server access logs(https)
  • /home/statseeker/base/logs/perl-logd.log – Statseeker legacy services error log

Linux/FreeBSD logs:

  • /var/log/maillog – mail server log
  • /var/log/cron – system-wide cron activity
  • var/log/messages – generic system activity (non-kernel boot errors, application/service errors)
  • /var/log/auth.log – server authentication logs