3.3.3 splunk forward

ELK既然有filebeat和logstash作为日志转发，那么splunk自身的产品也有转发工具，那就是splunk forward。与下载splunk一样，splunk forward也是需要下载，所用到的版本是8.0.2，下载地址：

#选择版本
https://www.splunk.com/page/previous_releases/universalforwarder
#使用的版本8.1.3
https://download.splunk.com/products/universalforwarder/releases/8.1.3/linux/splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64.rpm

在wazuh管理端192.168.1.200 使用rpm命令安装splunk forward工具转发日志。

[root@wazuh-manager ~]# rpm -ivh splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64.rpm 
warning: splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID b3cd4420: NOKEY
Preparing...                          ################################# [100%]
useradd: cannot create directory /opt/splunkforwarder
Updating / installing...
   1:splunkforwarder-8.1.3-63079c59e63################################# [100%]
cp: cannot stat ‘/opt/splunkforwarder/etc/regid.2001-12.com.splunk-UniversalForwarder.swidtag’: No such file or directory
complete

发现安装有错误，只需复制文件就可以。

[root@wazuh-manager ~]# cp /opt/splunkforwarder/swidtag/splunk-UniversalForwarder-primary.swidtag /usr/share/regid.2001-12.com.splunk/
[root@wazuh-manager ~]# chown splunk:splunk /usr/share/regid.2001-12.com.splunk/splunk-UniversalForwarder-primary.swidtag 

按照官方定义好的splunk通信配置文件，新建/opt/splunkforwarder/etc/system/local/props.conf，往里面添加如下图所示的配置文件。为了使用数据输入，Splunk需要指定将处理哪种格式。

[wazuh]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
category = Application
disabled = false
pulldown_type = true

新建/opt/splunkforwarder/etc/system/local/inputs.conf文件，告诉splunk forward需要监控/var/ossec/logs/alerts/alerts.json日志文件。

[monitor:///var/ossec/logs/alerts/alerts.json]
disabled = 0
host = MANAGER_HOSTNAME
index = wazuh
sourcetype = wazuh

替换配置文件host参数为wazuh管理端主机名

[root@wazuh-manager ~]# vim /opt/splunkforwarder/etc/system/local/inputs.conf

splunk forward设置转发日志到splunk服务器，与splunk服务端进行通信，需要输入splunk服务端的用户和密码才可以添加成功。

[root@wazuh-manager ~]# /opt/splunkforwarder/bin/splunk add forward-server 192.168.1.103:9997
Added forwarding to: 192.168.1.103:9997.

启动splunk forward服务。

[root@wazuh-manager ~]# /opt/splunkforwarder/bin/splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
                                                           [  OK  ]
Stopping splunk helpers...
                                                           [  OK  ]
Done.

Splunk> CSI: Logfiles.

Checking prerequisites...
	Checking mgmt port [8089]: open
	Checking conf files for problems...
	Done
	Checking default conf files for edits...
	Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64-manifest'
	All installed files intact.
	Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done
                                                           [  OK  ]

设置splunk forward开机启动。

[root@wazuh-manager ~]# /opt/splunkforwarder/bin/splunk enable boot-start
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.