Enhancing your logging capabilities with Splunk

If you come from a Linux or Unix background, reading through logs is something you come to expect. It is something you have developed quick and easy ways to filter through large volumes of information on the fly, but still doing this manually.

If you come from a Windows background, your understanding of logging is checking what is in the Windows Event Viewer or using Notepad to close/reopen a text file for a specific application you are running.

Splunk is a web based tool that can help you filter through all of those logs, but give you the exact results you are searching for.

This article will take you through setting up Splunk in your environment, and how to quickly search for information for exactly what you are looking for.

Note: I will be using Syslog as the backend datasource for Splunk, so I will rely on the fact that you have already installed a Syslog server, and you intend on installing Splunk on that same host. If you would like to find out how to configure Syslog, please read my article here

 

In this example, I have the following systems

splunk.example.com (10.0.1.80)
rhel-client.example.com (10.0.1.81)

 

Prerequisite

Please create yourself an account at http://www.splunk.com/ which you will need this in order to download splunk.

 

Installing Splunk

Jump over to your server which you have configured as your Syslog server. I am using splunk.example.com

Download the Splunk RPM for your architecture. As I am using x86_64, I am using splunk-4.3.4-136012-linux-2.6-x86_64.rpm

Install splunk via yum

[root@splunk ~]# yum install splunk-4.3.4-136012-linux-2.6-x86_64.rpm

....
----------------------------------------------------------------------
Splunk has been installed in:
/opt/splunk

To start Splunk, run the command:
/opt/splunk/bin/splunk start

To use the Splunk Web interface, point your browser at:
http://splunk.example.com:8000

Complete documentation is at http://docs.splunk.com/Documentation/Splunk
----------------------------------------------------------------------

Installed products updated.
Verifying  : splunk-4.3.4-136012.x86_64                                                                                                                                  1/1

Installed:
splunk.x86_64 0:4.3.4-136012

Complete!
[root@splunk ~]#

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>