Network-monitor-in-10-minutes-with-splunk

From Datateknik
(Difference between revisions)
Jump to: navigation, search
(Created page with "*SNÄLLA* Logga in med vanliga skill-bokningslösenordet och fixa fel/lägg till det som saknas /Robert =Skapa kataloger= su - mkdir /var/log/ping-targets cd /var/log/p...")
 
(SPLUNK)
 
(15 intermediate revisions by 2 users not shown)
Line 10: Line 10:
 
* nano monitor.sh
 
* nano monitor.sh
 
  #!/bin/bash
 
  #!/bin/bash
 
+
 
  echo Killing Existing Pings
 
  echo Killing Existing Pings
 
  pkill ping
 
  pkill ping
+
 
 
  echo Pinging
 
  echo Pinging
  external hosts for testing, run in background
+
  #external hosts for testing, run in background
# BYT IP-NUMMER NEDAN, ANNARS DÖDAR NI MIN SERVER !!!!
+
# BYT IP-NUMMER NEDAN, ANNARS DÖDAR NI MIN SERVER !!!!
  ping 193.10.236.123 > /var/log/ping-targets/srv1-logs.txt &
+
  ping -i 60 193.10.236.123 > /var/log/ping-targets/srv1-logs.txt &
  ping 8.8.8.8 > /var/log/ping-targets/googledns-logs.txt &
+
  ping -i 60 8.8.8.8 > /var/log/ping-targets/googledns-logs.txt &
   
+
  #Max en ping i minuten annars dör google.
  echo Process List of PING process ID (PIDs)
+
 
 +
  echo Process List of PING process ID     PIDs
 
  pgrep -l ping
 
  pgrep -l ping
 +
 
 +
 +
ls -l
 +
chmod +x monitor.sh
 +
ls -l
 +
 +
= crontab =
 +
edit /etc/crontab and add
 +
# monitor with ping
 +
# run every 30 minutes, every hour, every day
 +
*/30 * * * *    /var/log/ping-targets/monitor.sh >> /var/log/ping-targets/monitor.log 2>&1
 +
 +
= SPLUNK =
 +
*install splunk <font color=red>do NOT install splunk if you alreade have installed it</font>
 +
wget -O splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.3&product=splunk&filename=splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm&wget=true'
 +
echo "--------------------------"
 +
yum localinstall splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm
 +
rpm -ql splunk | grep splunk$
 +
echo "--------------------------"
 +
# firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp" accept'
 +
 +
* login
 +
== Import Data ==
 +
  Import the directory '''/var/log/ping-.../'''
 +
== Search Data ==
 +
Default search does not work, so change to
 +
  source="/var/log/ping-targets/*"
 +
You should now see a table of data from the ping command
 +
 +
Now search for srv1 ping results
 +
source="/var/log/ping-targets/srv1-logs.txt" 
 +
You should now only see server1 data
 +
== plotting ==
 +
Create a time-graph by sending it to the timechart function (using a pipeline) and plot the time-variable that you can see in the data-table
 +
source="/var/log/ping-targets/srv1-logs.txt"  | timechart avg(time)
 +
Select the /Visualization\-Tab, and change gte grafix to a bar-plot to your liking
 +
 +
If you see gaps in the plot, change it to
 +
source="/var/log/ping-targets/srv1-logs.txt"  | timechart cont=false avg(time)
 +
 +
== Plotting it all together ==
 +
source="/var/log/ping-targets/*.txt" | timechart cont=false  avg(time) by source
 +
Change the plot type bly clicking
 +
* /Visualization\
 +
* Bar plot (text)
 +
* line plot (square image)
 +
 +
== Create / Modify DASHBOARD ==
  
= asd =
+
Click "Save As ..." to create a new (or add to existing) dashboard

Latest revision as of 11:28, 18 May 2017

  • SNÄLLA*

Logga in med vanliga skill-bokningslösenordet och fixa fel/lägg till det som saknas /Robert

Contents

[edit] Skapa kataloger

su -
mkdir /var/log/ping-targets
cd /var/log/ping-targets

[edit] Skapa skriptet

  • nano monitor.sh
#!/bin/bash

echo Killing Existing Pings
pkill ping
 
echo Pinging
#external hosts for testing, run in background
# BYT IP-NUMMER NEDAN, ANNARS DÖDAR NI MIN SERVER !!!!
ping -i 60 193.10.236.123 > /var/log/ping-targets/srv1-logs.txt &
ping -i 60 8.8.8.8 > /var/log/ping-targets/googledns-logs.txt &
#Max en ping i minuten annars dör google.
echo Process List of PING process ID     PIDs
pgrep -l ping
 
ls -l
chmod +x monitor.sh
ls -l

[edit] crontab

edit /etc/crontab and add

# monitor with ping
# run every 30 minutes, every hour, every day
*/30 * * * *     /var/log/ping-targets/monitor.sh >> /var/log/ping-targets/monitor.log 2>&1

[edit] SPLUNK

  • install splunk do NOT install splunk if you alreade have installed it
wget -O splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.3&product=splunk&filename=splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm&wget=true'
echo "--------------------------"
yum localinstall splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm
rpm -ql splunk | grep splunk$
echo "--------------------------"
# firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp" accept'
  • login

[edit] Import Data

 Import the directory /var/log/ping-.../

[edit] Search Data

Default search does not work, so change to

 source="/var/log/ping-targets/*" 

You should now see a table of data from the ping command

Now search for srv1 ping results

source="/var/log/ping-targets/srv1-logs.txt"  

You should now only see server1 data

[edit] plotting

Create a time-graph by sending it to the timechart function (using a pipeline) and plot the time-variable that you can see in the data-table

source="/var/log/ping-targets/srv1-logs.txt"  | timechart avg(time)

Select the /Visualization\-Tab, and change gte grafix to a bar-plot to your liking

If you see gaps in the plot, change it to

source="/var/log/ping-targets/srv1-logs.txt"  | timechart cont=false avg(time)

[edit] Plotting it all together

source="/var/log/ping-targets/*.txt" | timechart cont=false  avg(time) by source

Change the plot type bly clicking

  • /Visualization\
  • Bar plot (text)
  • line plot (square image)

[edit] Create / Modify DASHBOARD

Click "Save As ..." to create a new (or add to existing) dashboard

Personal tools
Namespaces

Variants
Actions
Navigation
Tools