monitoring:splunk
This is an old revision of the document!
Table of Contents
Splunk (syslog)
AIX
Create a user splunk and group
check the right limits
root@aix01 /root> lsuser -f splunk splunk: id=2500 pgrp=staff groups=staff,splunk home=/home/splunk shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false umask=27 account_locked=false fsize=-1 cpu=-1 data=2139095040 stack=65536 core=0 rss=1073741824 nofiles=8192 core_hard=0
Untar the splunk forwarder package and start install, as splunk user
splunk@aix01 /home/splunk> /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt This appears to be your first time running this version of Splunk. Splunk> CSI: Logfiles. Checking prerequisites... Checking mgmt port [8089]: open Creating: /opt/splunkforwarder/var/lib/splunk Creating: /opt/splunkforwarder/var/run/splunk Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css Creating: /opt/splunkforwarder/var/run/splunk/upload Creating: /opt/splunkforwarder/var/run/splunk/search_telemetry Creating: /opt/splunkforwarder/var/spool/splunk Creating: /opt/splunkforwarder/var/spool/dirmoncache Creating: /opt/splunkforwarder/var/lib/splunk/authDb Creating: /opt/splunkforwarder/var/lib/splunk/hashDb New certs have been generated in '/opt/splunkforwarder/etc/auth'. Checking conf files for problems... Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false). Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug' Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-9.0.1-82c987350fde-AIX-powerpc-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... execve: Permission denied while running command /usr/bin/startsrc Splunk boot-start is enabled. please use /usr/bin/startsrc -s splunkd to start splunk
Create a service
root@aix01 /root> odmget -q subsysname="splunkd" SRCsubsys SRCsubsys: subsysname = "splunkd" synonym = "" cmdargs = "_internal_exec_splunkd" path = "/opt/splunkforwarder/bin/splunk" uid = 2500 auditid = 0 standin = "/dev/console" standout = "/dev/console" standerr = "/dev/console" action = 1 multi = 0 contact = 2 svrkey = 0 svrmtype = 0 priority = 20 signorm = 2 sigforce = 9 display = 1 waittime = 20 grpname = "splunk"
root@aix01 /root> /opt/splunkforwarder/bin/splunk enable boot-start -user splunk 0513-071 The splunkd Subsystem has been added. SRC subsystem group installed. SRC subsystem group is configured to run at boot. root@aix01 /root> lssrc -a | grep -i splunk splunkd splunk inoperative root@aix01 /root> ps -ef | grep splu root 10420368 33685510 0 10:40:18 pts/3 0:00 grep splu splunk 10944578 16973908 0 10:39:43 - 0:00 [splunkd pid=16973908] splunkd -p 8089 start [process-runner] splunk 16973908 1 0 10:39:43 - 0:01 splunkd -p 8089 start root@aixtest /opt> kill -9 16973908 root@aix01 /root> startsrc -s splunkd 0513-059 The splunkd Subsystem has been started. Subsystem PID is 10879268. root@aix01 /root> lssrc -a | grep -i splunk splunkd splunk 10879268 active
Debug (if needed)
root@aix01 /root> /opt/splunkforwarder/bin/splunk btool check --debug
Linux
monitoring/splunk.1711359223.txt.gz · Last modified: 2024/03/25 10:33 by manu
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
