Network-monitor-in-10-minutes-with-splunk

From Datateknik
Revision as of 09:45, 18 May 2017 by NIT16 (Talk | contribs)

Jump to: navigation, search
  • SNÄLLA*

Logga in med vanliga skill-bokningslösenordet och fixa fel/lägg till det som saknas /Robert

Contents

Skapa kataloger

su -
mkdir /var/log/ping-targets
cd /var/log/ping-targets

Skapa skriptet

  • nano monitor.sh 
#!/bin/bash

echo Killing Existing Pings
pkill ping
 
echo Pinging
#external hosts for testing, run in background
# BYT IP-NUMMER NEDAN, ANNARS DÖDAR NI MIN SERVER !!!!
ping 193.10.236.123 > /var/log/ping-targets/srv1-logs.txt &
ping 8.8.8.8 > /var/log/ping-targets/googledns-logs.txt &

echo Process List of PING process ID     PIDs
pgrep -l ping
 

ls -l
chmod +x monitor.sh
ls -l

crontab

edit /etc/crontab and add 

# monitor with ping
# run every 30 minutes, every hour, every day
*/30 * * * *     /var/log/ping-targets/monitor.sh >> /var/log/ping-targets/monitor.log 2>&1

SPLUNK

  • install splunk do NOT install splunk if you alreade have installed it 
wget -O splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.3&product=splunk&filename=splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm&wget=true'
echo "--------------------------"
yum localinstall splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm
rpm -ql splunk | grep splunk$
echo "--------------------------"
# firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp|udp" accept'
  • login

Import Data 

 Import the directory /var/log/ping-.../

Search Data

Default search does not work, so change to 

 source="/var/log/ping-targets/*"

You should now see a table of data from the ping command

Now search for srv1 ping results 

source="/var/log/ping-targets/srv1-logs.txt"

You should now only see server1 data

plotting

Create a time-graph by sending it to the timechart function (using a pipeline) and plot the time-variable that you can see in the data-table 

source="/var/log/ping-targets/srv1-logs.txt"  | timechart avg(time)

Select the /Visualization\-Tab, and change gte grafix to a bar-plot to your liking

If you see gaps in the plot, change it to 

source="/var/log/ping-targets/srv1-logs.txt"  | timechart cont=false avg(time)

Plotting it all together 

source="/var/log/ping-targets/*.txt" | timechart cont=false  avg(time) by source

Change the plot type bly clicking

  • /Visualization\
  • Bar plot (text)
  • line plot (square image)

Create / Modify DASHBOARD

Click "Save As ..." to create a new (or add to existing) dashboard

Retrieved from "http://catch-up.cnap.hv.se/wiki/index.php?title=Network-monitor-in-10-minutes-with-splunk&oldid=3602"
Personal tools
Namespaces

Variants
Actions
Navigation
Tools