LoginSignup
3
4

More than 5 years have passed since last update.

@Yuki_BB3(Yuki Yoshida)

EC2にSplunkをサクっと立ててみる

Last updated at Posted at 2018-09-12

 内容

Splunkをちょっと試す必要があったので初期設定メモを残しておく。
あくまでメモ
サクッと試すだけならマーケットプレイスから立てれば良い

手順

変数
INSTALL_FILE="splunk-7.1.2-a0c72a66db66-Linux-x86_64.tgz"
WGET_URL="https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.2&product=splunk&filename=splunk-7.1.2-a0c72a66db66-Linux-x86_64.tgz&wget=true"
PASSWD="HogeHoge1234!"
DOMAIN_NAME="<ドメイン名>"
MAIL="<メールアドレス>"
実行
# 環境変数にSplunkのHOMEを設定
export SPLUNK_HOME="/opt/splunk"

sudo yum update -y

# ユーザー・グループ作成
sudo groupadd -g 501 splunk
sudo adduser -u 501 -g 501 splunk

# Splunkの取得
wget -nv -O ${INSTALL_FILE} ${WGET_URL}
sudo tar zxf /home/ec2-user/$INSTALL_FILE -C /opt/
sudo chown -R splunk:splunk /opt/splunk

# 設定
sudo -u splunk /opt/splunk/bin/splunk start --accept-license --answer-yes --seed-passwd ${PASSWD}
sudo -u splunk /opt/splunk/bin/splunk set default-hostname $(hostname) -auth admin:${PASSWD}
sudo -u splunk /opt/splunk/bin/splunk set servername $(hostname) -auth admin:${PASSWD}
sudo /opt/splunk/bin/splunk enable boot-start -user splunk

# 再起動
sudo -u splunk /opt/splunk/bin/splunk restart

# 証明書取得(letsencrypt)
git clone https://github.com/certbot/certbot.git
cd certbot
sudo ./certbot-auto certonly –domain ${DOMAIN} –email ${MAIL} –no-bootstrap –debug

# 証明書の設定
sudo -u splunk mkdir -p $SPLUNK_HOME/etc/auth/webcerts
sudo cp /etc/letsencrypt/live/${DOMAIN}/cert.pem $SPLUNK_HOME/etc/auth/webcerts/
sudo cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem $SPLUNK_HOME/etc/auth/webcerts/
sudo chown -R splunk:splunk /opt/splunk/etc/auth/webcerts/

# web用証明書の設定
echo "[settings]" | sudo tee -a $SPLUNK_HOME/etc/system/local/web.conf
echo "enableSplunkWebSSL = 1" | sudo tee -a $SPLUNK_HOME/etc/system/local/web.conf
echo "serverCert = $SPLUNK_HOME/etc/auth/webcerts/cert.pem" | sudo tee -a $SPLUNK_HOME/etc/system/local/web.conf
echo "privKeyPath = $SPLUNK_HOME/etc/auth/webcerts/privkey.pem" | sudo tee -a $SPLUNK_HOME/etc/system/local/web.conf
sudo chown -R splunk:splunk $SPLUNK_HOME/etc/system/local/web.conf

# HTTP経由でログを送信するための証明書設定
sudo -u splunk mkdir $SPLUNK_HOME/etc/auth/kinesiscert
sudo cat ./cert.pem \
    ./privkey.pem \
    ./chain.pem | sudo tee $SPLUNK_HOME/etc/auth/kinesiscert/server.pem
sudo chown -R splunk:splunk /opt/splunk/etc/auth/kinesiscert/server.pem
sudo -u splunk mkdir $SPLUNK_HOME/etc/apps/splunk_httpinput/local
sudo -u splunk sh -c "cat << _FIN_ >> $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf
[http]
disabled = 0
serverCert = $SPLUNK_HOME/etc/auth/kinesiscert/server.pem
_FIN_"

# 再起動
sudo -u splunk /opt/splunk/bin/splunk restart

KHFとの連携用にSplunkを立てたときのメモ。
あくまで自分メモ

3
4
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
3
4