Splunk 3.1: Log-Monitoring Revisited - page 3
There isn't much to say about installing Splunk. Follow the simple instructions provided, depending on your platform, and then point your Web browser at the address indicated by the installer. At this point, you simply need to add a data source.
Caution, beware, pay attention! The syslog source type automatically extrapolates host names. If you choose another type, all of your syslog entries may appear to be from your syslog hostname. So add a FIFO data input,
syslog type, and point it at
/var/run/splunk-pipe. The dashboard front page will soon begin to populate with data. If you want more immediate results, temporarily add a text file with syslog messages, and Splunk will happily slurp up and index the data. Now you can start playing with Saved Searches.
Unfortunately, the administrator interface is wide open. Splunk feels that securing one's configuration settings is an enterprise feature, and you must pay money for a functional product. People who care enough about this limitation can easily find a way to work around it. Exercising some not-as-evil-as-they-seem insight, Splunk made the admin interface exclusively reachable via the URI
/admin. Apache to the rescue.
Even with users and password protected admin sections, note that your syslog data is still wide open. We can eliminate two birds at once by proxying via Apache to the Splunk server.
First, we want to make Splunk only listen on localhost, assuming we're serving the Splunk Web page from the syslog server. Simple set the environment variable in the startup script:
Next, configure Apache to proxy requests to Splunk; something like:
ProxyPass / http://127.0.0.1:8000/ ProxyPassReverse / http://127.0.0.1:8000/
Order Deny,Allow Deny from all # Stuff
To limit access to the /admin/ section, you can simply replace
#Stuff with specific allow lines, LDAP authentication, or whatever you choose. To protect all of Splunk, place the restriction at
/ instead. You'll probably want to ensure people are connecting via SSL if they are required to enter a password, so be sure to redirect non-SSL requests.
If you start indexing more than 500MB of logs per day, Splunk will nag you to get an Enterprise License. Splunk remains functional regardless, and if you are large enough to produce that much data, the other Enterprise features are likely useful. The Enterprise License gets you: Splunk server mating (send events between them), distributed search and clustering, and access control.
Be sure to check out Splunk's online demos.
This article originally appeared on Enterprise Networking Planet, a JupiterOnlineMedia site.