Network-monitor-in-10-minutes-with-splunk

From Datateknik
(Difference between revisions)
Jump to: navigation, search
(Plotting it all together)
(SPLUNK)
 
(5 intermediate revisions by 2 users not shown)
Line 17: Line 17:
 
  #external hosts for testing, run in background
 
  #external hosts for testing, run in background
 
  # BYT IP-NUMMER NEDAN, ANNARS DÖDAR NI MIN SERVER !!!!
 
  # BYT IP-NUMMER NEDAN, ANNARS DÖDAR NI MIN SERVER !!!!
  ping 193.10.236.123 > /var/log/ping-targets/srv1-logs.txt &
+
  ping -i 60 193.10.236.123 > /var/log/ping-targets/srv1-logs.txt &
  ping 8.8.8.8 > /var/log/ping-targets/googledns-logs.txt &
+
  ping -i 60 8.8.8.8 > /var/log/ping-targets/googledns-logs.txt &
   
+
  #Max en ping i minuten annars dör google.
 +
 
 
  echo Process List of PING process ID    PIDs
 
  echo Process List of PING process ID    PIDs
 
  pgrep -l ping
 
  pgrep -l ping
Line 32: Line 33:
 
  # monitor with ping
 
  # monitor with ping
 
  # run every 30 minutes, every hour, every day
 
  # run every 30 minutes, every hour, every day
  */30 * * *       /var/log/ping-targets/monitor.sh >> /var/log/ping-targets/monitor.log 2>&1
+
  */30 * * * *    /var/log/ping-targets/monitor.sh >> /var/log/ping-targets/monitor.log 2>&1
 +
 
 
= SPLUNK =
 
= SPLUNK =
*install splunk  
+
*install splunk <font color=red>do NOT install splunk if you alreade have installed it</font>
 +
wget -O splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.3&product=splunk&filename=splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm&wget=true'
 +
echo "--------------------------"
 +
yum localinstall splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm
 +
rpm -ql splunk | grep splunk$
 +
echo "--------------------------"
 +
# firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp" accept'
 +
 
 
* login
 
* login
 
== Import Data ==
 
== Import Data ==
Line 56: Line 65:
 
== Plotting it all together ==
 
== Plotting it all together ==
 
  source="/var/log/ping-targets/*.txt" | timechart cont=false  avg(time) by source
 
  source="/var/log/ping-targets/*.txt" | timechart cont=false  avg(time) by source
 +
Change the plot type bly clicking
 +
* /Visualization\
 +
* Bar plot (text)
 +
* line plot (square image)
 +
 
== Create / Modify DASHBOARD ==
 
== Create / Modify DASHBOARD ==
  
 
Click "Save As ..." to create a new (or add to existing) dashboard
 
Click "Save As ..." to create a new (or add to existing) dashboard

Latest revision as of 11:28, 18 May 2017

  • SNÄLLA*

Logga in med vanliga skill-bokningslösenordet och fixa fel/lägg till det som saknas /Robert

Contents

[edit] Skapa kataloger

su -
mkdir /var/log/ping-targets
cd /var/log/ping-targets

[edit] Skapa skriptet

  • nano monitor.sh
#!/bin/bash

echo Killing Existing Pings
pkill ping
 
echo Pinging
#external hosts for testing, run in background
# BYT IP-NUMMER NEDAN, ANNARS DÖDAR NI MIN SERVER !!!!
ping -i 60 193.10.236.123 > /var/log/ping-targets/srv1-logs.txt &
ping -i 60 8.8.8.8 > /var/log/ping-targets/googledns-logs.txt &
#Max en ping i minuten annars dör google.
echo Process List of PING process ID     PIDs
pgrep -l ping
 
ls -l
chmod +x monitor.sh
ls -l

[edit] crontab

edit /etc/crontab and add

# monitor with ping
# run every 30 minutes, every hour, every day
*/30 * * * *     /var/log/ping-targets/monitor.sh >> /var/log/ping-targets/monitor.log 2>&1

[edit] SPLUNK

  • install splunk do NOT install splunk if you alreade have installed it
wget -O splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.3&product=splunk&filename=splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm&wget=true'
echo "--------------------------"
yum localinstall splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm
rpm -ql splunk | grep splunk$
echo "--------------------------"
# firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp" accept'
  • login

[edit] Import Data

 Import the directory /var/log/ping-.../

[edit] Search Data

Default search does not work, so change to

 source="/var/log/ping-targets/*" 

You should now see a table of data from the ping command

Now search for srv1 ping results

source="/var/log/ping-targets/srv1-logs.txt"  

You should now only see server1 data

[edit] plotting

Create a time-graph by sending it to the timechart function (using a pipeline) and plot the time-variable that you can see in the data-table

source="/var/log/ping-targets/srv1-logs.txt"  | timechart avg(time)

Select the /Visualization\-Tab, and change gte grafix to a bar-plot to your liking

If you see gaps in the plot, change it to

source="/var/log/ping-targets/srv1-logs.txt"  | timechart cont=false avg(time)

[edit] Plotting it all together

source="/var/log/ping-targets/*.txt" | timechart cont=false  avg(time) by source

Change the plot type bly clicking

  • /Visualization\
  • Bar plot (text)
  • line plot (square image)

[edit] Create / Modify DASHBOARD

Click "Save As ..." to create a new (or add to existing) dashboard

Personal tools
Namespaces

Variants
Actions
Navigation
Tools