Network Input Lab

00:00

Hello and welcome back to the Splunk Enterprise Certified Administrator course on Sai Buri. In this video, we're gonna be doing a lab where we set up a

00:09

UDP or network input for Splunk and just test to see how we can get some logs coming in over that medium. So it's gonna consist of basically setting up this input through an apple send out through the deployment server. And then we will set up a cyst log server too

00:29

forward some data to that network port that were listening on and then just validate that we're getting that data by looking in slug,

00:36

so we'll get started by first creating our input, so we'll head over to the command line. But I clear this down here,

00:47

get over to our search head because this is where we make our deployment. APS has acknowledged deployment server as well, so we'll just see what's in here currently.

00:56

And we're gonna make a new directory and it's gonna have a subdirectory swimming that slash p

01:03

and we're going to make this indexer sis, log in foot

01:08

to a fault

01:11

that well made

01:15

our input stock competition February soon.

01:19

So we're gonna do UDP

01:23

on. We're gonna dio generally 5 14 is this long But I think that this server already has RCIs log running so Splunk won't be able to use that port. So we'll just do 95 14

01:37

and will set save all these false. I don't We don't really need that. But I'm gonna put anyways send it to Windows because we're gonna send some windows data off of my host machine right here.

01:51

We'll set source equal Teoh Beauty P 95 14 and source type people The window of a dog.

02:01

Uh, well put colon

02:06

cisl or something like that.

02:08

So that should be everything that we need

02:14

for that. Well, actually, we could do

02:17

connection Host would be the one other thing. So this will be

02:23

basically how it uses, um, whether uses i p address or host name where? I mean, DNS, I guess in this case is the actual attribute value You would give it to determine where the status coming from. Uh,

02:38

I think because I have a DNS record, I don't know for certain that it will be able to convert my i p address, so I'm just going to be

02:50

and Now we'll make a server class to push this to our indexer.

02:59

New

03:00

the index slaw

03:05

inputs

03:07

save

03:08

add the at first cause we're gonna set it up so it restarts Splunk so that the setting actually takes effect.

03:20

And that

03:23

And now we will add our client.

03:28

So just okay, I d x star check preview check marks. All good save.

03:36

So now that app should get sent out and spoon should start restarting.

03:39

And basically, what will be looking for on this indexer is to make sure that Splunk listening. So I have a command that I've

03:52

so also obviously, I've already done this, but you need to add

03:57

fire reports that your box is actually listening on. Then this Net stat command will show you which ports were listening on and you can see Splunk D is listening on 95 14. So if we send data, we should be able to see it.

04:13

Something that's kind of nice to Dio as well is if you run

04:18

uh,

04:20

that's CCP dump. You might have to install that if you haven't already on and you can specify port 5 15 and this is just some information to increase the verbosity and actually see the contents of the load coming through. But this will watch. I'm going to switch to report that we're using nine.

04:40

14.

04:43

So now I'm listening on this box. So if anything comes in, I'll see the log pop up here. So basically, why I like to do this is because it eliminates one of the areas where you could have a problem. So basically, if I Ford a log to this box and it doesn't show up in Splunk

05:01

But it shows up here, I know that it's not a networking problem. It's more than likely a Splunk listening problem.

05:09

But because we already have this here, it's most likely this should work. But we'll see. So we're gonna go back to my actual box and right here on this device, I just happen to have solar winds installed so I can use this. This is CIS load client, so I can use this to monitor certain data forwarded to Splunk.

05:29

Right now, I have the application log in the system long being monitored because our UFO sorry, monitoring the security log.

05:35

So we just have to add a destination here. So

05:40

I'm gonna cancel out of that 1st 2nd get my i p address

05:46

and then I'll rerun that,

05:49

and we'll set that to the proper i p address and the port and we're listening on u dp. So we want to keep it is UDP

06:00

and will create. Um, we could sit here and wait for an actual log to occur, but I'm just going to generate a text message,

06:09

um, or a test

06:11

message so that we have

06:14

data for sure. I'll do a couple

06:19

and you could see that there popping up here warning error

06:25

so you could see that our box is receiving these logs, Which makes sense. So now it's just a matter of checking Splunk to see

06:32

if

06:33

the data is working from an input perspective.

06:41

And you can see

06:44

this is coming from the i P address, and we set that connection host information to i. P. And here are the logs. We can see that it's from application, which is what we sent the test log from. So that makes sense has so you can tell that our network input is working.

07:00

Um, if that didn't work again, like I said already this these are a couple steps to just check if your network

07:11

input was set up properly. You see Splunk lis actively listening on that port If you use nets step.

07:17

If you don't have that set installed, you can install it pretty easily. If you're on Santos with yum install,

07:26

I believe Net tools Net hyphen tools, I think is the package that this comes in so pretty easy for you. Get that TCP dump is another command line tool that might not be there by default. But you can very easily download that as well. And so

07:40

uh, yeah, those are the two areas where this might get messed up. Either Splunk won't be listening or there will be a networking problem and the data isn't getting through,

07:49

but

07:50

yes, So those are two places you want to focus on your troubleshooting If your input doesn't work now, just for your awareness as well. If you're setting up assist log sis, log input in your Splunk deployment.

08:05

Don't do it this way. I only did this this way for the demonstration off, setting up a network input.

08:11

But in real in the real world, you what you would want to do is probably send your sis log to sis log servers, ideally at least two and have them load balanced just to give you some high availability. Some Well, a little more data. Resiliency. And then on those specs,

08:31

sis log servers. You could put on a Splunk U F or a split heavy foreigner and basically have the systolic servers right. These events to disk and then have Splunk read them from disk.

08:43

This is a lot better because you can load balance that files are written to disk versus just being sent over the wire and then possibly lost. And also, when you use a system like server to write to disk, you can use some rejects based rules toe break the data out into individual directories,

09:01

and then that makes setting up your file monitor inputs much easier and also much

09:07

more granular so that you don't have to do a bunch of complicated ri routes and stuff to get your data.

09:13

You know, metadata on your data assigned properly, So that's just something to keep in mind. But that is it for this lab. This is a pretty simple one. You could make any number of changes to this if you want into. So for example, you could have specified this,

09:33

like

09:35

in this format.

09:37

Um,

09:39

I'd be address slash post name 95 14 to specify only a single host. You can also write it like this, and that would work.

09:50

But I think this is the most straightforward. So that's how I write it. Obviously, there's a lot more attributes you could configure, but this is at least at a high level how you set it up.

10:00

If you want to get more into the weeds on this, you can check the documentation for

10:05

inputs

10:07

on. Just go through the section on monitors, which

10:13

should be

10:16

TCP or UDP, so you can see whatever list of attributes and