포워더 버전 8 설치.
[root@Centos7 ~]# rpm -ivh splunkforwarder-8.2.5-77015bc7a462-linux-2.6-x86_64.rpmwarning: splunkforwarder-8.2.5-77015bc7a462-linux-2.6-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID b3cd4420: NOKEYPreparing... ################################# [100%]useradd: cannot create directory /opt/splunkforwarderUpdating / installing... 1:splunkforwarder-8.2.5-77015bc7a46################################# [100%]complete
[root@Centos7 splunkforwarder]# bin/splunk start --accept-license
This appears to be your first time running this version of Splunk.
Splunk software must create an administrator account during startup. Otherwise, you cannot log in.Create credentials for the administrator account.Characters do not appear on the screen when you type in credentials.
Please enter an administrator username: adminPassword must contain at least: * 8 total printable ASCII character(s).Please enter a new password:Please confirm new password:
Splunk> Needle. Haystack. Found.
Checking prerequisites... Checking mgmt port [8089]: open Creating: /opt/splunkforwarder/var/lib/splunk Creating: /opt/splunkforwarder/var/run/splunk Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css Creating: /opt/splunkforwarder/var/run/splunk/upload Creating: /opt/splunkforwarder/var/run/splunk/search_telemetry Creating: /opt/splunkforwarder/var/spool/splunk Creating: /opt/splunkforwarder/var/spool/dirmoncache Creating: /opt/splunkforwarder/var/lib/splunk/authDb Creating: /opt/splunkforwarder/var/lib/splunk/hashDbNew certs have been generated in '/opt/splunkforwarder/etc/auth'. Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-8.2.5-77015bc7a462-linux-2.6-x86_64-manifest' All installed files intact. DoneAll preliminary checks passed.
Starting splunk server daemon (splunkd)...Done [ OK ]
서비스 등록은 별도 절차가 필요하다.
[root@Centos7 splunkforwarder]# bin/splunk enable boot-startInit script installed at /etc/init.d/splunk.Init script is configured to run at boot.[root@Centos7 splunkforwarder]# service splunk startStarting splunk (via systemctl): [ OK ]
root 계정으로 실행중인 포워더.
[root@Centos7 splunkforwarder]# ps -ef | grep splunkroot 1582 1 12 18:08 ? 00:00:00 splunkd -p 8089 startroot 1588 1582 0 18:08 ? 00:00:00 [splunkd pid=1582] splunkd -p 8089 start [process-runner]root 1652 1234 0 18:08 pts/0 00:00:00 grep --color=auto splunk
포워더 버전 9 설치
[root@Centos7 ~]# rpm -ivh splunkforwarder-9.0.4-de405f4a7979-linux-2.6-x86_64.rpmwarning: splunkforwarder-9.0.4-de405f4a7979-linux-2.6-x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID b3cd4420: NOKEYPreparing... ################################# [100%]useradd: cannot create directory /opt/splunkforwarderUpdating / installing... 1:splunkforwarder-9.0.4-de405f4a797################################# [100%]complete
실행 과정은 버전 8과 같다. 그런데 실행 결과를 보니 splunk 계정으로 실행중이네?
[root@Centos7 splunkforwarder]# ps -ef | grep splunksplunk 1378 1 2 18:21 ? 00:00:01 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemdsplunk 1412 1378 0 18:21 ? 00:00:00 [splunkd pid=1378] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner]root 1478 1233 0 18:21 pts/0 00:00:00 grep --color=auto splunk
버전 9부터 좀 바뀐 모양. 알고 보니 서비스 등록도 자동으로 된다. 버전 8과 많이 달라짐. 어쩐지 리눅스 재시작하면 포워더 실행돼있더라(..)
[root@Centos7 splunkforwarder]# ls /etc/init.d/functions netconsole network README sshd[root@Centos7 splunkforwarder]# ls /etc/systemd/system/multi-user.target.wants/auditd.service irqbalance.service NetworkManager.service remote-fs.target SplunkForwarder.service tuned.servicecrond.service kdump.service postfix.service rsyslog.service sshd.service[root@Centos7 splunkforwarder]# service SplunkForwarder statusRedirecting to /bin/systemctl status SplunkForwarder.service● SplunkForwarder.service - Systemd service file for Splunk, generated by 'splunk enable boot-start' Loaded: loaded (/usr/lib/systemd/system/SplunkForwarder.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2023-05-27 18:21:03 KST; 1min 7s ago Process: 1381 ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/memory/system.slice/%n (code=exited, status=0/SUCCESS) Process: 1379 ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/cpu/system.slice/%n (code=exited, status=0/SUCCESS) Process: 1376 ExecStartPre=/bin/bash -c chown -R splunk:splunk /opt/splunkforwarder (code=exited, status=0/SUCCESS) Main PID: 1378 (splunkd) Memory: 122.1M (limit: 1.7G) CGroup: /system.slice/SplunkForwarder.service ├─1378 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd └─1412 [splunkd pid=1378] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd ...
May 27 18:21:03 Centos7 splunk[1378]: Warning: Executing "chown -R splunk /opt/splunkforwarder"May 27 18:21:03 Centos7 splunk[1378]: Checking mgmt port [8089]: openMay 27 18:21:04 Centos7 splunk[1378]: Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/aler...alse).May 27 18:21:04 Centos7 splunk[1378]: Your indexes and inputs configurations are not internally consistent. For more ...debug'May 27 18:21:04 Centos7 splunk[1378]: Checking conf files for problems...May 27 18:21:04 Centos7 splunk[1378]: DoneMay 27 18:21:04 Centos7 splunk[1378]: Checking default conf files for edits...May 27 18:21:04 Centos7 splunk[1378]: Validating installed files against hashes from '/opt/splunkforwarder/splunkforw...ifest'May 27 18:21:04 Centos7 splunk[1378]: PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate valid...curityMay 27 18:21:04 Centos7 splunk[1378]: 2023-05-27 18:21:04.642 +0900 splunkd started (build de405f4a7979) pid=1378Hint: Some lines were ellipsized, use -l to show in full.
신기한 건 splunk 계정으로 실행되는데도 root 권한 파일 접근이 가능하다.
관련 글
댓글 없음:
댓글 쓰기