monitoring:splunk
This is an old revision of the document!
Splunk (syslog)
AIX
Create a user splunk and group
check the right limits
root@aix01 /root> mkgroup id=2500 splunk root@aix01 /root> mkuser id=2500 pgrp=splunk groups=staff,splunk fsize=-1 data=2621440 rss=262144 splunk root@aix01 /root> lsuser -f splunk splunk: id=2500 pgrp=staff groups=staff,splunk home=/home/splunk shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false umask=27 account_locked=false fsize=-1 cpu=-1 data=2139095040 stack=65536 core=0 rss=1073741824 nofiles=8192 core_hard=0
Untar the splunk forwarder package and start install, as splunk user
splunk@aix01 /home/splunk> /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt This appears to be your first time running this version of Splunk. Splunk> CSI: Logfiles. Checking prerequisites... Checking mgmt port [8089]: open Creating: /opt/splunkforwarder/var/lib/splunk Creating: /opt/splunkforwarder/var/run/splunk Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css Creating: /opt/splunkforwarder/var/run/splunk/upload Creating: /opt/splunkforwarder/var/run/splunk/search_telemetry Creating: /opt/splunkforwarder/var/spool/splunk Creating: /opt/splunkforwarder/var/spool/dirmoncache Creating: /opt/splunkforwarder/var/lib/splunk/authDb Creating: /opt/splunkforwarder/var/lib/splunk/hashDb New certs have been generated in '/opt/splunkforwarder/etc/auth'. Checking conf files for problems... Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false). Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug' Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-9.0.1-82c987350fde-AIX-powerpc-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... execve: Permission denied while running command /usr/bin/startsrc Splunk boot-start is enabled. please use /usr/bin/startsrc -s splunkd to start splunk
Create ass root a service splunkd
root@aix01 /opt> /opt/splunkforwarder/bin/splunk enable boot-start -user splunk 0513-071 The splunkd Subsystem has been added. SRC subsystem group installed. SRC subsystem group is configured to run at boot. root@aix01 /opt> odmget -q subsysname="splunkd" SRCsubsys SRCsubsys: subsysname = "splunkd" synonym = "" cmdargs = "_internal_exec_splunkd" path = "/opt/splunkforwarder/bin/splunk" uid = 1601 auditid = 0 standin = "/dev/console" standout = "/dev/console" standerr = "/dev/console" action = 1 multi = 0 contact = 2 svrkey = 0 svrmtype = 0 priority = 20 signorm = 2 sigforce = 9 display = 1 waittime = 20 grpname = "splunk" root@aix01 /opt> cat /etc/inittab splunk:2:once:/usr/bin/startsrc -g splunk > /dev/console 2>&1 root@aix01 /opt> lssrc -a | grep -i splunk splunkd splunk inoperative root@aix01 /opt> ps -ef | grep splu splunk 11207102 1 2 16:41:57 - 0:00 splunkd -p 8089 start splunk 11338186 11207102 0 16:41:57 - 0:00 [splunkd pid=11207102] splunkd -p 8089 start [process-runner] root@aix01 /opt> kill 11207102 11338186 root@aix01 /opt> startsrc -s splunkd 0513-059 The splunkd Subsystem has been started. Subsystem PID is 7995758. root@aix01 /opt> ps -ef | grep splu root 6881638 10748408 0 16:47:50 pts/0 0:00 grep splu splunk 7995758 5898518 120 16:47:48 - 0:00 splunkd --nodaemon -p 8089 _internal_exec_splunkd splunk 11469220 7995758 0 16:47:50 - 0:00 [splunkd pid=7995758] splunkd --nodaemon -p 8089 _internal_exec_splunkd [process-runner] root@aix01 /opt> lssrc -a | grep -i splunk splunkd splunk 7995758 active
Debug (if needed)
root@aix01 /root> /opt/splunkforwarder/bin/splunk btool check --debug
monitoring/splunk.1711385660.txt.gz · Last modified: 2024/03/25 17:54 by manu
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
