Tag Archives: syslog

Splunk Syslog Server Upgrade

Upgrading your Splunk Syslog server is very easy in comparison to some other upgrades that I have done. First of all this guide is upgrading from an ubuntu server running version 4.2 to 4.3. If you are not doing that upgrade I recommend going to their link and going through their guide here.

Here are the commands to do so:

First download the upgrade version, 4.3.4:

wget -O splunk-4.3.4-136012-linux-2.6-amd64.deb ‘http://www.splunk.com/page/download_track?file=4.3.4/splunk/linux/splunk-4.3.4-136012-linux-2.6-amd64.deb&ac=&wget=true&name=wget&typed=releases’

Second is simply stopping the server:

sudo SPLUNK_HOME/bin/splunk stop

Third is install:

sudo dpkg -i splunk-4.3.4-136012-linux-2.6-amd64.deb

Finally start the server again:

sudo /opt/splunk/bin/splunk start

Enjoy and if you have any questions comment or send me a message on the contact me page

Updating Splunk (version 4.2.4)

To update your Splunk server the process takes no more than 15 minutes. Here is the process:

Back up the server as always and if you did the installation as I described in my previous post this setup will work perfectly:

wget -O splunk-4.2.4-110225-Linux-x86_64.tgz 'http://www.splunk.com/index.php/download_track?file=4.2.4/splunk/linux/splunk-4.2.4-110225-Linux-x86_64.tgz&ac=&wget=true&name=wget&typed=releases'

/opt/splunk/bin/splunk stop

cd /home/user

mv splunk-4.1.7-95063-Linux-x86_64.tgz /opt/

tar zxfp splunk-4.1.7-95063-Linux-x86_64.tgz

/opt/splunk/bin/splunk start

After that just agree to the terms and test out the new functions and features of 4.2.4. Enjoy!

Splunk Syslog Server

The idea of a syslog server is simple, it has many devices send it all their logs of its activities. Then the administrator can access the server and views recent information, warnings, or crashes. This is key to making a network function and keep accurate records. When you start seeing a random outage you can now simply access one machine and have all the logs and have them accurately tell you where the problem started and then grew to all in simple charts and event logs.

There are plenty of choices of syslog servers out there, but I am using Splunk Syslog Server as it seems to be:
1) Flexible for many forms of devices
2) Has add-on plugins to make it more fucntional
3) Is an active project (meaning it still has updates and will not break in a few days and no one knows about the server at all).
4) Linux based (which is also currently running on all my servers, so little to no platform change)

Installation on Ubuntu-64 bit:

Step 1 – Download:

sudo wget http://www.splunk.com/index.php/download_track?file=4.1.7/linux/splunk-4.1.7-95063-linux-2.6-amd64.deb&ac=&wget=true&name=wget&typed=releases’

Step 2 – Rename to a working format:

sudo mv download_track\?file\=4.1.7%2Flinux%2Fsplunk-4.1.7-95063-linux-2.6-amd64.deb\&ac\=\&wget\=true\&name\=wget\&typed\=releases splunk-4.1.7-95063-linux-2.6-amd64.deb

Step 3 – Install:

sudo dpkg -i splunk-4.1.7-95063-linux-2.6-amd64.deb

Step 4 – Start the service:

sudo /opt/splunk/bin/splunk start

Configuring the Server:

Step 1 – Getting a device to send syslog to the server:

I have a Cisco device and so there are 3 commands to issue in the router itself to get it to send the server valid logs:

Router(config)# logging on
Router(config)# logging [ip address]
Router(config)# logging trap [emergency | alert | critical | error | warning | notification | informational | debug]

The first command simply turns on logging ( Simple enough). Second, defines where the logs will be sent. Point this to the new Splunk Syslog Server. Third, this is an optional command that will define what level of syslog will be sent. Example, if you informational level then the logs will be sent only with the levels of emergency to informational.

Step 2- Configure the Splunk Server to receive logs:

First go to a web browser on your network and surf to your server’s IP and port 8000 (Example:

Splunk Manager

Once you get to this screen click on “Data Inputs”

Splunk Data Inputs

From this screen click on the Add New button which is right from UDP

Splunk UDP Ports

From here you type 514 in the UDP Port Field, use the drop down under Set Sourcetype to From list, and finally under select source type from list you select syslog. Now you have a port open and the server can identify the type of data.

At this point we have data going into the server, but we don’t have it being displayed in any fashion, let’s fix this. Back on the manager screen you can click on Searches and Reports, from here you can select the button new. In this screen you can define the search parameters, the name is just a title for your purposes the search field is where it gets fun. Some of the strings to put in would be host=”192.168.x.x” (The address of device) or source=”udp:514″ (To see all traffic coming through to your port 514). These are very simple searches, but effective. Then type in a description and hit save. After this head on over to the search app and on the top menu there is a Searches & Reports tab, drop that down, and you’ll find your new search. Hit it and the search will run and display the logs of the desired device. With a little extra tweaking you can create your own dashboard of information via the views tab and get something like this:

Splunk Data Output

Step 3 – Start on boot-up

This is key to keep your syslog server working before and after a power outage or simple shutdown.
sudo /opt/splunk/bin/splunk enable boot-start
Once you type in this final command you should be ready for a production syslog server.

This concludes the post on Splunk Syslog Server and the completion of this project. Thank you for your time.

Helpful Sites: