Splunk ES

✔️Splunk Architecture

✔️Splunk Components

Forwarder

• Useful for collecting the logs from a remote machine, which will forward the log data to a Splunk Indexer for processing and storage.

Types:

• Universal Forwarder – You can opt for an universal forwarder if you want to forward the raw data collected at the source. It is a simple component which performs minimal processing on the incoming data streams before forwarding them to an indexer.

• Heavyweight Forwarder (HWF) – Heavy Forwarder – You can use a Heavy forwarder and eliminate half your problems, because one level of data processing happens at the source itself before forwarding data to the indexer. Heavy Forwarder typically does parsing and indexing at the source and also intelligently routes the data to the Indexer saving on bandwidth and storage space. So when a heavy forwarder parses the data, the indexer only needs to handle the indexing segment. Click Here

Indexer

• Useful for Indexing and Storing the data coming from the forwarder.

• Splunk instance transforms the incoming data into events and stores it in indexes for performing search operations efficiently.

• If you are receiving the data from a Universal forwarder, then the indexer will first parse the data and then index it. Parsing of data is done to eliminate the unwanted data. ---> But, if you are receiving the data from a Heavy forwarder, the indexer will only index the data.

Search Head

• Used for searching, analyzing and reporting.

• We can search and query the data stored in the Indexer by entering search words and you will get the expected result.

License Master

• It Make sure that the right amount of data gets indexed.

• Splunk license is based on the data volume that comes to the platform within a 24hr window and thus, it is important to make sure that the environment stays within the limits of the purchased volume.

• If the License Master is unreachable then it is just not possible to search the data. However, the data coming in to the Indexer will not be affected.

• So, the indexing does not stop; only searching is halted ❗ .
• License Violation Q-10
• Click Here

Parsing vs Normalization

Parsing = Mapping text into fields

Given the line:

Sep 28 16:39:03 app_server sshd[8677]: Failed password for invalid user icecast2 from 10.72.109.227 port 57238 ssh2

It would be parsed into:

host = app_server

process = sshd

source_user = icecast2

source_ip = 10.72.109.227

source_port = 57238

and inserted into the database.

Normalization = Assign category

For normalization, the event above be assigned a normalization ID of: 409075712 which is Authentication | Login | SSH Login in the normalization taxonomy.

If I use the Normalized group, SSH Login, as a filter, it will show me all events categorized as SSH logins regardless of the originating device, OS or signature ID.

✔️Ports used in Splunk

• Splunk Web Port: 8000

• Splunk Management Port: 8089

• Splunk Network port: 514

• Splunk Index Replication Port: 8080

• Splunk Indexing Port: 9997

• KV store: 8191

Reference

Click Here