More than 5 years have passed since last update.

EC2にSplunkをサクっと立ててみる

Last updated at 2018-09-12Posted at 2018-09-12

　内容

Splunkをちょっと試す必要があったので初期設定メモを残しておく。
あくまでメモ
サクッと試すだけならマーケットプレイスから立てれば良い

手順

変数

INSTALL_FILE="splunk-7.1.2-a0c72a66db66-Linux-x86_64.tgz"
WGET_URL="https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.2&product=splunk&filename=splunk-7.1.2-a0c72a66db66-Linux-x86_64.tgz&wget=true"
PASSWD="HogeHoge1234!"
DOMAIN_NAME="<ドメイン名>"
MAIL="<メールアドレス>"

実行

# 環境変数にSplunkのHOMEを設定
export SPLUNK_HOME="/opt/splunk"

sudo yum update -y

# ユーザー・グループ作成
sudo groupadd -g 501 splunk
sudo adduser -u 501 -g 501 splunk

# 　Splunkの取得
wget -nv -O ${INSTALL_FILE} ${WGET_URL}
sudo tar zxf /home/ec2-user/$INSTALL_FILE -C /opt/
sudo chown -R splunk:splunk /opt/splunk

# 設定
sudo -u splunk /opt/splunk/bin/splunk start --accept-license --answer-yes --seed-passwd ${PASSWD}
sudo -u splunk /opt/splunk/bin/splunk set default-hostname $(hostname) -auth admin:${PASSWD}
sudo -u splunk /opt/splunk/bin/splunk set servername $(hostname) -auth admin:${PASSWD}
sudo /opt/splunk/bin/splunk enable boot-start -user splunk

# 再起動
sudo -u splunk /opt/splunk/bin/splunk restart

# 証明書取得(letsencrypt)
git clone https://github.com/certbot/certbot.git
cd certbot
sudo ./certbot-auto certonly –domain ${DOMAIN} –email ${MAIL} –no-bootstrap –debug

# 　証明書の設定
sudo -u splunk mkdir -p $SPLUNK_HOME/etc/auth/webcerts
sudo cp /etc/letsencrypt/live/${DOMAIN}/cert.pem $SPLUNK_HOME/etc/auth/webcerts/
sudo cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem $SPLUNK_HOME/etc/auth/webcerts/
sudo chown -R splunk:splunk /opt/splunk/etc/auth/webcerts/

# web用証明書の設定
echo "[settings]" | sudo tee -a $SPLUNK_HOME/etc/system/local/web.conf
echo "enableSplunkWebSSL = 1" | sudo tee -a $SPLUNK_HOME/etc/system/local/web.conf
echo "serverCert = $SPLUNK_HOME/etc/auth/webcerts/cert.pem" | sudo tee -a $SPLUNK_HOME/etc/system/local/web.conf
echo "privKeyPath = $SPLUNK_HOME/etc/auth/webcerts/privkey.pem" | sudo tee -a $SPLUNK_HOME/etc/system/local/web.conf
sudo chown -R splunk:splunk $SPLUNK_HOME/etc/system/local/web.conf

# HTTP経由でログを送信するための証明書設定
sudo -u splunk mkdir $SPLUNK_HOME/etc/auth/kinesiscert
sudo cat ./cert.pem \
    ./privkey.pem \
    ./chain.pem | sudo tee $SPLUNK_HOME/etc/auth/kinesiscert/server.pem
sudo chown -R splunk:splunk /opt/splunk/etc/auth/kinesiscert/server.pem
sudo -u splunk mkdir $SPLUNK_HOME/etc/apps/splunk_httpinput/local
sudo -u splunk sh -c "cat << _FIN_ >> $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf
[http]
disabled = 0
serverCert = $SPLUNK_HOME/etc/auth/kinesiscert/server.pem
_FIN_"

# 再起動
sudo -u splunk /opt/splunk/bin/splunk restart

KHFとの連携用にSplunkを立てたときのメモ。
あくまで自分メモ

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up