2023년 5월 27일 토요일

SplunkForwarder v9

포워더 버전 8 설치.
[root@Centos7 ~]# rpm -ivh splunkforwarder-8.2.5-77015bc7a462-linux-2.6-x86_64.rpm
warning: splunkforwarder-8.2.5-77015bc7a462-linux-2.6-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID b3cd4420: NOKEY
Preparing...                          ################################# [100%]
useradd: cannot create directory /opt/splunkforwarder
Updating / installing...
   1:splunkforwarder-8.2.5-77015bc7a46################################# [100%]
complete

실행.
[root@Centos7 splunkforwarder]# bin/splunk start --accept-license

This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: admin
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:

Splunk> Needle. Haystack. Found.

Checking prerequisites...
        Checking mgmt port [8089]: open
                Creating: /opt/splunkforwarder/var/lib/splunk
                Creating: /opt/splunkforwarder/var/run/splunk
                Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
                Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
                Creating: /opt/splunkforwarder/var/run/splunk/upload
                Creating: /opt/splunkforwarder/var/run/splunk/search_telemetry
                Creating: /opt/splunkforwarder/var/spool/splunk
                Creating: /opt/splunkforwarder/var/spool/dirmoncache
                Creating: /opt/splunkforwarder/var/lib/splunk/authDb
                Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
        Checking conf files for problems...
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-8.2.5-77015bc7a462-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
                                                           [  OK  ]

서비스 등록은 별도 절차가 필요하다.
[root@Centos7 splunkforwarder]# bin/splunk enable boot-start
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
[root@Centos7 splunkforwarder]# service splunk start
Starting splunk (via systemctl):                           [  OK  ]

root 계정으로 실행중인 포워더.
[root@Centos7 splunkforwarder]# ps -ef | grep splunk
root      1582     1 12 18:08 ?        00:00:00 splunkd -p 8089 start
root      1588  1582  0 18:08 ?        00:00:00 [splunkd pid=1582] splunkd -p 8089 start [process-runner]
root      1652  1234  0 18:08 pts/0    00:00:00 grep --color=auto splunk

포워더 버전 9 설치
[root@Centos7 ~]# rpm -ivh splunkforwarder-9.0.4-de405f4a7979-linux-2.6-x86_64.rpm
warning: splunkforwarder-9.0.4-de405f4a7979-linux-2.6-x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID b3cd4420: NOKEY
Preparing...                          ################################# [100%]
useradd: cannot create directory /opt/splunkforwarder
Updating / installing...
   1:splunkforwarder-9.0.4-de405f4a797################################# [100%]
complete

실행 과정은 버전 8과 같다. 그런데 실행 결과를 보니 splunk 계정으로 실행중이네? 
[root@Centos7 splunkforwarder]# ps -ef | grep splunk
splunk    1378     1  2 18:21 ?        00:00:01 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd
splunk    1412  1378  0 18:21 ?        00:00:00 [splunkd pid=1378] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner]
root      1478  1233  0 18:21 pts/0    00:00:00 grep --color=auto splunk

버전 9부터 좀 바뀐 모양. 알고 보니 서비스 등록도 자동으로 된다. 버전 8과 많이 달라짐. 어쩐지 리눅스 재시작하면 포워더 실행돼있더라(..)
[root@Centos7 splunkforwarder]# ls /etc/init.d/
functions  netconsole  network  README  sshd
[root@Centos7 splunkforwarder]# ls /etc/systemd/system/multi-user.target.wants/
auditd.service  irqbalance.service  NetworkManager.service  remote-fs.target  SplunkForwarder.service  tuned.service
crond.service   kdump.service       postfix.service         rsyslog.service   sshd.service
[root@Centos7 splunkforwarder]# service SplunkForwarder status
Redirecting to /bin/systemctl status SplunkForwarder.service
● SplunkForwarder.service - Systemd service file for Splunk, generated by 'splunk enable boot-start'
   Loaded: loaded (/usr/lib/systemd/system/SplunkForwarder.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2023-05-27 18:21:03 KST; 1min 7s ago
  Process: 1381 ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/memory/system.slice/%n (code=exited, status=0/SUCCESS)
  Process: 1379 ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/cpu/system.slice/%n (code=exited, status=0/SUCCESS)
  Process: 1376 ExecStartPre=/bin/bash -c chown -R splunk:splunk /opt/splunkforwarder (code=exited, status=0/SUCCESS)
 Main PID: 1378 (splunkd)
   Memory: 122.1M (limit: 1.7G)
   CGroup: /system.slice/SplunkForwarder.service
           ├─1378 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd
           └─1412 [splunkd pid=1378] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd ...

May 27 18:21:03 Centos7 splunk[1378]: Warning: Executing "chown -R splunk /opt/splunkforwarder"
May 27 18:21:03 Centos7 splunk[1378]: Checking mgmt port [8089]: open
May 27 18:21:04 Centos7 splunk[1378]: Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/aler...alse).
May 27 18:21:04 Centos7 splunk[1378]: Your indexes and inputs configurations are not internally consistent. For more ...debug'
May 27 18:21:04 Centos7 splunk[1378]: Checking conf files for problems...
May 27 18:21:04 Centos7 splunk[1378]: Done
May 27 18:21:04 Centos7 splunk[1378]: Checking default conf files for edits...
May 27 18:21:04 Centos7 splunk[1378]: Validating installed files against hashes from '/opt/splunkforwarder/splunkforw...ifest'
May 27 18:21:04 Centos7 splunk[1378]: PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate valid...curity
May 27 18:21:04 Centos7 splunk[1378]: 2023-05-27 18:21:04.642 +0900 splunkd started (build de405f4a7979) pid=1378
Hint: Some lines were ellipsized, use -l to show in full.


관련 글

댓글 없음:

댓글 쓰기

크리에이티브 커먼즈 라이선스