安全运维 -- splunk 操作手册

0x00 背景

splunk 日常运维操作笔记。

0x01 场景

1.agent 安装

linux:

tar -zxvf splunkforwarder-8.0.3-a6754d8441bf-Linux-x86_64.tgz -C /opt

cp -r config /opt/splunkforwarder/etc/apps

vi /opt/splunkforwarder/etc/apps/prefix_app_inputs/local/inputs.conf

monitor:///home/var/log/\*log #修改监控路径

/opt/splunkforwarder/bin/splunk start --accept-license # 输入app账号密码

/opt/splunkforwarder/bin/splunk show deploy-poll # 检查配置文件是否配置好DS指向

/opt/splunkforwarder/bin/splunk enable boot-start # 开启自启动

2.splunk接入log(读取日志文件方式)

登录DS 后台

vim /opt/splunk/etc/development-apps/prefix_all_indexes/local/indexes.conf

新增索引 prefix_mailcasph

prefix_mailcasph homePath = volume:hotwarmdb/prefix_mailcasph/db coldPath = volume:colddb/prefix_mailcasph/colddb thawedPath = $SPLUNK_DB/prefix_mailcasph/thaweddb

inputs 负责数据采集,props负责数据解析

配置inputs文件夹

vim prefix_mailcasph_inputs/local/app.conf (这个一般参考default/app.conf 不做修改)

install

state = enabled

package

check_for_updates = false

ui

is_visible = false

is_manageable = false

vim prefix_mailcasph_inputs/local/inputs.conf

monitor://D:\\Exchange Server\\Logging\\HttpProxy\\Eas\\HttpProxy\*.log

index = prefix_mailcasph

sourcetype = ms:exchange:http_proxy

crcSalt = <SOURCE>

disabled = false

metadata 文件夹

local.meta:\[\]

access = read : \* , write : admin

export = system

配置props文件夹

vim prefix_mailcasph_inputs/local/app.conf

install

state = enabled

package

check_for_updates = false

ui

is_visible = false

is_manageable = false

props.conf (来自splunk论坛某篇文章)

ms:exchange:http_proxy

CHARSET=UTF-8

INDEXED_EXTRACTIONS=csv

FIELD_DELIMITER=,

KV_MODE=none

SHOULD_LINEMERGE=false

disabled=false

TIMESTAMP_FIELDS=DateTime

TRANSFORMS-killheader1 = kh1

SHOULD_LINEMERGE=true

LINE_BREAKER=(\\r\\n+)\d{4}\-\d{2}\-\d{2}T

TIME_PREFIX = ^

TIME_FORMAT = %Y-%m-%dT%H:%M:%SZ

MAX_TIMESTAMP_LOOKAHEAD = 25

NO_BINARY_CHECK=true

REPORT-extractfields = extractfields

transforms.conf (来自splunk论坛某篇文章)

kh1

REGEX = ^DateTime

DEST_KEY = queue

FORMAT = nullQueue

extractfields

DELIMS=","

FIELDS=DateTime,RequestId,MajorVersion,MinorVersion,BuildVersion,RevisionVersion,ClientRequestId,Protocol,UrlHo

st,UrlStem,ProtocolAction,AuthenticationType,IsAuthenticated,AuthenticatedUser,Organization,AnchorMailbox,UserA

gent,ClientIpAddress,ServerHostName,HttpStatus,BackEndStatus,ErrorCode,Method,ProxyAction,TargetServer,TargetSe

rverVersion,RoutingType,RoutingHint,BackEndCookie,ServerLocatorHost,ServerLocatorLatency,RequestBytes,ResponseB

ytes,TargetOutstandingRequests,AuthModulePerfContext,HttpPipelineLatency,CalculateTargetBackEndLatency,GlsLaten

cyBreakup,TotalGlsLatency,AccountForestLatencyBreakup,TotalAccountForestLatency,ResourceForestLatencyBreakup,To

talResourceForestLatency,ADLatency,SharedCacheLatencyBreakup,TotalSharedCacheLatency,ActivityContextLifeTime,Mo

duleToHandlerSwitchingLatency,ClientReqStreamLatency,BackendReqInitLatency,BackendReqStreamLatency,BackendProce

ssingLatency,BackendRespInitLatency,BackendRespStreamLatency,ClientRespStreamLatency,KerberosAuthHeaderLatency,

HandlerCompletionLatency,RequestHandlerLatency,HandlerToModuleSwitchingLatency,ProxyTime,CoreLatency,RoutingLat

ency,HttpProxyOverhead,TotalRequestTime,RouteRefresherLatency,UrlQuery,BackEndGenericInfo,GenericInfo,GenericEr

rors,EdgeTraceId,DatabaseGuid,UserADObjectGuid,PartitionEndpointLookupLatency,RoutingStatus

metadata 文件夹

local.meta:\[\]

access = read : \* , write : admin

export = system

DS 下发配置到CM

CM下发配置到indexer

相关推荐
txg666几秒前
网络安全领域简报(2026年7月3日—10日)
安全·web安全·网络安全
数据库小学妹15 分钟前
MySQL安全加固全流程:网络隔离、TDE加密、数据脱敏、等保合规7步实战
mysql·安全·数据脱敏·审计日志·安全加固·等保合规
hey you~24 分钟前
400电话选型技术测评:一个开发视角的线路质量评估方案
运维·网络·数据库·400电话·企业通信
筱羽_筱羽33 分钟前
跟着“Ubuntu18.04/20.04编译Linux5.10.76+Xenomai-3.2.1+IgH”教程遇到的问题
linux·运维·ubuntu
风途科技~2 小时前
河道流量监测不用下水!雷达水流测速仪非接触测流更安全
人工智能·安全
味悲2 小时前
XSS、CSRF、SSRF学习笔记
安全·xss·csrf
万点科技码农2 小时前
紧跟7月9日行业变革,西安万点网络科技一体化服务助力企业数字化安全转型
安全
无忧.芙桃2 小时前
线程同步与线程互斥(上)
linux·运维·操作系统·运维开发
Chengbei112 小时前
SoloXSS:一款现代化的自托管 XSS平台
人工智能·安全·web安全·网络安全·自动化·xss·安全架构
white_ant3 小时前
安全认证与 API 网关
安全