SPLK-2002: Splunk Enterprise Certified Architect certification video training course by prepaway along with practice test questions and answers, study guide and exam dumps provides the ultimate training package to help you pass.

Forwarder & User Management

1. Overview of Universal Forwarders

Hey everyone, and welcome back. In today's video, we will be discussing the Splunk universal forwarder. Now installing and configuring universal Forwarders in all the servers is one of the major activities which are typical organizations perform once they have the Splunk setup up and running. So typically, a Universal Forwarder is a Splunk agent that collects data from all the servers and sends it to your Splunk deployment. Now, Splunk offers a universal forward agent that supports various kinds of operating systems, which include Linux, Windows, Mac, Solaris, FreeBSD, and Aix as well. So depending on which operating system you have for your servers, you can go ahead and install relevant Splunk universal forwarders there, which will collect the locks from that operating system and send them to your Splunk deployment. Now, before we proceed, I just wanted to quickly show you the page related to the universal forwarder.

So you see, this is the Splunk Universal Forwarder 7.2.0, and there are a lot of installation packages that are available related to Windows. You also have Linux, Solaris, Mac, free BSD, and well as Aix. So depending on which OS you use, you can go ahead and install and download the Splunk universal forwarder.

Along with that, I would also like to quickly show you the Docker hub page. So within the Docker hub, if you just type Splunk, you will see that Splunk also supports a universal forwarder package there. Now you'll see that Splunk also supports Splunk universal forwarders. So this is the package that is officially supported by Splunk. So, instead of installing the agent via Rpm, Deb, or TGZfile, you can simply do a Docker pull of Splunk Universal Forwarder on your server, and you will have a proper universal forwarder there. So again, this is the alternative that you can use in a few of the organisations that I have been working with.

I have tested this way thoroughly, and it seems to be a pretty straightforward way. It works right out of the box, and there are no major issues to be found. So you can try it the Docker way as well.

However, for certain add-ons, such as the Linux add-on, which collects a large number of matrices such as the CPU matrix and memory matrix, For such use cases, you will have to do a little customization; it will not work out of the box, but in case you just want to collect the log files, the universal forwarder way based on Docker will work out of the box, but a lot of things will need customization.

Particularly if you are collecting additional matrix from the host, such as monitoring your files and collecting CPU, memory disk, and other matrix from the host system. Now, once you have your universal forwarder installed on your servers, it can be your servers, and it can be your laptops as well. Now these universal forwarders will go ahead and send data to your Splunk instance. Now, in order to send data, they need to know to which port they should be sending data. So by default, port 997 is generally configured for receiving the logs from the remote universal forwarder. So typically, you will see that this universal forwarder will be sending data to port 9970f, your Splunk instance. So, if you go to your Splunk instance, go to settings, forwarding and receiving, and then configure receiving, you will see that it is already enabled. So port 997 is already enabled. This means that any universal forwarder can send data to port triple 97 for your Splunk instance.

2. Installing Universal Forwarder in Linux

Hey everyone, and welcome back. In today's video, we will go ahead and install the Splunk universal forwarder on one of our servers and look into how exactly it can forward the data from the server to the Splunk enterprise instance.

So, we had already looked into the Splunk Universal versus Forwarder Support differences, and it basically supports a wide range of operating systems as well as Docker containerization. Now, for our testing purposes, we will be using Linux and we will be using the RPM-based package, so since we are doing things in Docker, the universal forward is also something that we'll be installing inside the Docker container, but the process will be the same if you install it inside the Docker container. If you do it directly on the server, the process will always remain the same. So what I have done is pull the tests version six container image from the Docker hub.

So if I do a Docker image, you will see that I have a sendoff six-based image that is downloaded. So this is the image from which we will be launching a Docker container, so let's quickly do that. I'll do a Docker run, I'll name it "forwarderone," and I'll launch it from this specific image ID. Perfect. So now, if I docker PS. You will see that there is one more Docker container, which is called "Forward." I will login to the Forwarder one via bash, and we'll go ahead and install Universal Forwarder.

Now, since this is a center-based installation, it doesn't really matter if you have an Ubuntu server or any other; it will work; just select the appropriate package. So I'll go ahead and download the RPM version. So basically, you will have to accept the terms and agreement, and you will get this nice command line. W gets the command. So you can just copy and paste this command instead of directly downloading the RPM file, and you can run this command. So let me quickly install WKAT, and I'll rerun the command.

So now this plunger forwarder is installed. If you do a quick Ellis, you will see that this is the rpm package that is installed; to install it, do a yam install splunk forwarder, and this package will be downloaded in my root file system. So I just ran yam install splunk forwarder, which installed it from this rpm package. Perfect. So the splunk forwarder has now been installed, and as expected, it goes into the opt directory similar to splunk, and you will see within the opt directory that there is a splunk forwarder.

So let me go to the splunk forwarder, and if I do a LS over here, you will see that the file structure remains exactly the same. This is critical; if you remember Splunk's file system structure, you don't have to remember Splunk Forward's file system structure; everything remains the same, and this consistency is what makes a Splunk product amazing and easy to learn. So we'll go to the bin, and within the bin, there are a lot of binaries over here. Again, we are more interested in Splunk. So let's do a splunk status, and you have to accept the licence agreement as usual. Just give the administrator username—I'll give admin—and let me give a password, and it says splunk is not running. So let's go ahead and start Splunk.

So now Splunk has started, and you will see that it is only checking for the management board. The primary reason is that Splunk forwarder does not really listen because it does not really have a GUI. It basically forwards data, which is why you don't see port 8000 or any other ports to which it is bound. Perfect. So now, if you do a Splunk status, Splunk is running. So now that we have the Splunk forwarder running, the next important part for us is to tell the Splunk forwarder to start sending logs to the Splunk instance. So which logs are we interested in? We are more interested in the wire log directory.

So the wire log directory is where we have Yum log bracket lock, and there will be various other logs related to Warlock, secure Warlock messages, and various others. So this is the log directory that we are interested in. So if you quickly do a "splunk list monitor," it will ask you for the username and password, and it basically is showing which log files this universal forwarder is monitoring and which log files it will send to the remote Splunk instance.

So in order to add a new log file, I'll say "splunk add monitor" and "VAR log directory." So now you say it says "added monitor forvarlog directory," and if you again do a splunklist monitor, you should typically see that there is a warlock directory, and within this, whatever files are present, it is monitoring those files. So these are the files that the Mighty Splunk Universal Forwarder Agent is monitoring. So this is the first aspect. Now the second aspect is to tell the universal forwarder that it should send all of these log files to Rsplunginstance, which is running on a specific IP address.

So that configuration is not yet done, and that is something that we need to do. So what I have done is create a small document over here that basically has the command that we will be running throughout this practical. I'll be posting it beneath the video so you can use it directly. So we have already run these two commands, and the next command basically tells Planck universal forwarder that it should forward all the logs that it is monitoring to this specific server. So it could be either the IP address or the host name. And this is the port where Splunk is receiving it.

So, if you quickly navigate to settings and then forwarding and receiving, you should usually check to see if port 997 is in the receiving state. So you see currently that this is 9997, and the status is enabled. That means we are good to go. So, as long as network connectivity is present and the firewall is not blocking, we can forward the logs to this specific server IP on port 997. So in order to quickly verify what I'll do, I'll quickly install certain tools. One of them is NC, and one more tool that I'll install is basically a package called Net Hyphen hyphen tools. Okay, so the Net Hyphen Tools are already installed. So let's quickly verify with NC what the connectivity status is between the servers.

So I'll just say 170, 217, 02999, seven. So it says the connectivity is successful. So if you want to see the IP address of the Splunk instance, one easy way is to just login to it, say, with docker execute splunk bash. And if you run the if configuration command, you will see that this is the IP address of this specific Splunk instance. If your if command fails, you can try an app gate update and an AppGet install net hypertool.

So these are the two commands from which the IR configuration binary would come from.So now that we know that this is the IP address of my Splunk instance and we have also verified that the connectivity is there, what I'll typically do is go ahead and run this specific command, and now you will see that it has added the forwarding to 170 2170 2. Now to quickly verify everything is working as expected, you need to go to Splunk Forwarder. And within wire, there are logs and Splunk. And within this, there are a lot of log files.

Splunkdot is something that will give you accurate information. So, if the forwarding has stopped or something isn't working, this is the file you'd typically need to look into. So give me a tap-splumb log. And you can see that it is linked to IDX 170 and 2170 two. So this is the line that you should be looking for. If everything is working, you will see this typical TCP output property: connected to the remote IP address. Now, in order to verify if everything is working as expected, you can go to the Splunk enterprise. I'll go to the search and reporting app. Within the data summary, you will see I have one more host over here. So this host is basically the host name of your server. So DA seven F is the hostname of my server here. So, if you see that I have a DA-7, you will also notice that I have a Yum Log.

So if you remember, we had installed Wgate, we had even installed Splunk Forward, and we had installed NC. So this is basically the Yum log events, which are indexed, and after it takes a certain amount of time, you will basically see the log events from various other log files also coming into Splunk. So let me do one thing: let me select all time. And now, if you go into the source, you will see that Splunk is forwarding various log files like an Anaconda log, a Yam log, and a Dragon log. So these are all coming from the wirelog directory, which we had started to monitor. Now, in case we go a little deep just to have our concepts clear, So when we run this command, what Splunk does behind the scenes is that it adds the relevant configuration to the EPC system local directory.

So let's go to the directory to see what exactly Splunk stores there. So I go to etc system local, and if I do a LS, you will see that there is an inputs conference, there is an outputs conference, and there is a server conference. So, let's take a look at what's available in terms of inputs and outputs. You also have host, which is the same as hostname, within inputs. If you want to see the host name, follow these instructions. The easiest way is to make sure that your server hostname is the domain name. So, for example, if my domain name is videoskplabs.com, then it is recommended that my server hostname be the same.

So it becomes really easy to understand within the central log monitoring system. The other option is to navigate to etc. systemlocal and change the host to whatever host names you have, say, video kplabs in, and this will be reflected within the Splunk instance. So this is what the input dot corner is. In the second corner, which is the outputs corner, you should see the IP address of the indexer to which Splunk will send logs. So you have 172, 700, two, triple, nine, and seven. So, if you want to change your IP address, Assume you've just relaunched a Splunk enterprise instance and want to change the IP address to which Splunk should forward logs. This is the file that you should be working on too. So behind the scenes, your Splunk CLI commands will create all of these log files. However, you can make the journey even without Splunk CLI commands.

You only need to create these log files. So this is the high-level overview of Splunk's universal forwarder installation. I would really recommend that you go ahead and try this out once. Managing and maintaining splunk universal forwarders is one of the important tasks that you would typically be doing, because in an enterprise, you may have thousands of instances, and you typically have to install splunk universal forwarders and manage across all of these instances, as well as troubleshoot, because it is common to have two or three instances that have stopped forwarding. So we'll be looking into these, but with the base set, where everyone of us already knows how to install Splunk Universal, we can go ahead and explore much more advanced topics. So with this, we'll conclude this video. I hope this has been informative for you, and I look forward to seeing you on the next video.

3. Challenges in Forwarder Management

Hey everyone, and welcome back. In today's video, we will be discussing some of the typical challenges that you would face when it comes to the management of universal forwarder management.

Now, we already know that the "universal forwarder" is basically a Splunk agent that gets installed on your server, collects the data that you ask it to, and sends it to the Splunk Enterprise instance. Now, generally, while we install the Splunk Universal Forwarder, we ran certain commands, if you remember, during the demo. So these commands were Splunk add monitor wire log as well as adding a Splunk add forwarder server, which is 170, which is basically the instance where the Splunk forwarder will be pushing the logs to. This process did not appear to take long, but when installing Splunk in an enterprise, I recall working in an organization with close to 600 to 700 servers, and doing this manually is simply out of the question. So what you can do is maybe automate things with configuration management tools like Ensile.

So, at first glance, this appears to be a good way. So what you basically do is add these commands to an Ensile playbook, and then you just run that playbook within the servers. However, this is not a very optimal way. Let's say you ran these commands on all 600 servers, as an example. Now, what you want to do is additionally monitor one more log file that is not within this path. So you'll have to update your Ensile playbook again, and then run it on all 600 servers again.

Now, every time you want to make a change to a specific configuration within Universal Forwarder, or add or remove certain add-ons, you'll have to run your tasks across all 600 servers. is not really scalable. Typically, only one click is required, and it should be automatically propagated to all 600 servers. And this is something that we need to look forward to. So let's assume that we have any server, a use case where any server that belongs to the 192.168.10. network should only have wire locked secure files to be monitored. To be monitored, any server belonging to 107720 should now have both a wire lock secure and a wire lock audit directory. There's one more requirement: if a server hostname starts with W-I-N, then it should integrate it to send both Windows Events and Ed locks.

So these are some typical use cases where, if you do it the Ensile way or any other configuration management way, it will not scale quite well. As a result, we require solid forwarder management to assist us in sorting out specific use cases, and forwarder management is an inbuilt feature of Splunk. So you have your Splunk Enterprise instance, and you enable your forwarder management here. So this forwarder management feature is a feature in Splunk that gets connected here, and what you basically do is connect all your forwarders to this central forwarder management instance, for example. Now this forwarder management feature, which is part of Splunk, can have its own configured rule set. So, you see, there are two rule sets. Three rule sets One is 192 slashes. As a result, any IP address beginning with 192 should only be wire locked, secure, or monitored.

Any IP address beginning with 1077 should have wire lock secure and audit files. to be monitored. Any host name that starts with Vin It should be able to monitor both Windows events and ad loss. So once a universal forwarder connects to this forwarder management, what it basically does is send information to the universal forwarder on what it should be doing.

So here, the forwarder's management has sent information to the first server, saying that it should only monitor wire-locked secure files. When a second universal forwarder connects to this forwarder management instance in the second step, it will verify the IP address and hostname of the first universal forwarder. And depending upon the configured rule set, it will say, "Okay, now that you are in the 1077 series, you should monitor wireless secure and wireless audit, and now you have one more laptop connected." This is a Windows-based laptop.

So now the forwarder management server will say okay, so since you are using a Windows laptop, you should only monitor Windows images. You do not have to monitor any Linux files. So now, next time I want this specific server to monitor additional files, all I have to do is add one more rule here, and it will automatically get deployed. So this is what is referred to as "forwarder management." So when you basically go to a Splunk instance and you go inside settings, you will see that under a distributed environment you have an option called forwarder management, and this forwarder management is responsible for achieving the use cases as well as many other use cases that we were discussing.

4. Introduction to Deployment Server

Hey everyone, and welcome back. In today's video, we will be discussing the deployment server. Now, a deployment server, in a high-level overview, is a tool for distributing configurations, apps, and content updates to a group of Splunk Enterprise instances like universal forwarders, search heads, and others. Now, Forwarder Management, on the other hand, is a GUI built on top of the deployment server that provides an easy way to configure the deployment server and monitor the status of deployment updates. So this is just a definitive term that we will be discussing more in detail in the upcoming slides.

When it comes to the Forward management dashboard, it will look something like the screenshot below. On the left, you can see that there are 506 clients who have called home in the last 24 hours. That means that in total, there are 506 clients that are connecting to my forwarder management, or that the forwarder management is responsible for distributing apps to. This is how the Forwarder management dashboard appears. We'll be looking at the practical aspects as well, but I would just like to show you how exactly it would look. Now, when discussing deployment server architecture, there are three terms that you should remember.

One is the deployment server by itself, the second is the server class, and the third is the deployment clients. So deployment clients are basically the universal forwarders, which are installed on a specific server. So you have a Linux server with a universal forwarder installed on top, which is referred to as the Linux SS. You have one more Linux server. This is in the UK region and is referred to as "Linux to Hyphen UK." There are also three Windows-based universal forwarders installed on the left side. So these are called the "deployment clients." So the deployment server is responsible for pushing the configuration-related data to the deployment clients.

Now what is that? Configuration-related data is referred to inside the server class. So within the server class, you have four server classes. You have one for Windows, you have one for Linux, you have one for SF, and you have one for the UK. Now the Windows server class is being deployed in three Windows instances. Over here, the Linux server class is getting deployed into the Linux instance, and you have one server class called SF that gets deployed only in the universal forward, which has SF as the name. And you have the UK server class, which basically gets deployed to the servers that are present within the UK region. So server class is one important parameter that we need to understand.

So let's go ahead and understand what a server class is. Now, a server class is basically a group of common configurations that are shared by multiple instances. Or you can also refer to them as "multiple universal forwarders" in a way because the deployment server cannot only push deployments to universal forwarders; it can also push them to search and non-clustered indexes. But for our use cases, we are more concerned with universal forwarders because this is where deployment servers are typically used extensively. Now, let's take an example of a server class.

One server class is called "Windows," which is common to all Windows servers. You have a server class called "Linux," which is common to all Linux servers. So this is just like a container, which is basically connected to a group. So this group can be Windows, and this group can be Linux. Now, this group can even be associated with a specific server in a region. So I have a server in the San Francisco region, and I can have a dedicated server class for that. I have a server in the UK region; I can have a dedicated server class for that. So this is what server class entails. Now, the server class is incomplete without a deployment app.

Now, a deployment app is a set of example configuration files maintained by the deployment server and pushed to the deployment client belonging to a specific server class. One deployment app, for example, has an input called F that basically monitors wireless security and audit. So this is one deployment app with a vector as an input. Now, this deployment app needs to be connected to a specific server class. So what I do is connect this deployment app to the Linux server class. So now what will happen is that any universal forwarder that connects to a server class called Linux through that deployment client will automatically start to monitor for wirelock secure and wirelock audit files. So server class and deployment app generally go hand in hand, and they are used together.

So with this, let's do one thing. Let's jump into the practicality aspect and look at how it would work. So I'm in my Splunk instance here, and if you go to settings and forward our management, you'll see that it says that the Forwarder management UI distributes deployments of active Splunk clients, and this isn't configured, the UI isn't configured yet. So in order to configure the UI, there is a specific step that you need to take from the CLI. So let me go to my Splunk instance and let's do LS. So we'll opt for Splunk, etc. And if I do LS here, you'll notice a folder called Deployment apps. So we already looked into what deployment apps are, if you remember. So within the second terminology, we were discussing what a deployment application is.

So for the UI of the forwarder management to become available, one way is to have some sample apps within this deployment apps directory. Now, the good news is that if you go inside the apps directory generally, you will see that there is one sample app that is present. So what you'll do is copy the sample app. So let's say I copy the sample app and paste it inside the deployment app directory. Now, once you do that, just restart Splunk. Perfect. So my Splunk has restarted. If you notice that the Splunk interface is now available, So if we quickly go to the browser, let me quickly log in. And this time, if you will see, within the URI is basically the deployment server, and the forwarder management is basically the GUI for the deployment server. So within this, now you see that I have a nice console.

So within the apps directory So basically, this is also called the deployment app. We already discussed what a deployment app is. And this is a sample app. Over here, we also have server classes, and there is a tap for clients. So currently, since we do not have any server classes, nor do we have any clients associated, it is not showing anything. But I hope you understand the basics of what a deployment server is. And in the following video, we'll devote some time to understanding server-class configured server-class apps, connecting the clients to our deployment server, and investigating what flexible options we have to manage things centrally.

Prepaway's SPLK-2002: Splunk Enterprise Certified Architect video training course for passing certification exams is the only solution which you need.