SPLK-1003 Splunk Enterprise Certified Admin – Forwarder Management And User Management Part 2
- Deploying Apps on Universal Forwarder Using Deployment Server
So as you can see we have successfully created our base configuration app which contains nothing but our outputs confine so this is our outputs. com file we have made a mistake we need to update the configuration so we need to update our indexer IP. Two places save this file how to deploy using deployment server before that, for our Windows Server Universal folder, let us create our newly added app that is our base config. I’ll click on save. So now this application will be automatically downloaded by our universal Forwarder.
Now let us go to our universal Forwarder etc apps directory. So here we should be able to see anytime soon. Our new application should have been downloaded. So it has contacted our deployment server a few seconds ago. As you can see, we have our base config here. If you open this file, we should be able to see our outputs. Conf file that is newly created.
This is our newly created outputs conf which was downloaded from our deployment server. So now let us verify on our search ed whether we are receiving the logs from our universal forwarder so that our complete workflow will be completed. That is universal forwarder sending logs to our indexer. Then indexer is indexing and storing these logs. We’ll be able to search it from our searcher.
As you can see as soon as I have it. Enter we are able to see all the logs that are part of our universal forwarder have started indexing on our indexer from the configuration that was picked up from our deployment server. So this is how basically you manage the configuration using deployment server. You create your own groups and you deploy specific application which contains specific configuration like inputs, outputs, props, transforms, including images, web contents, static contents, even including your Https certificate. So you can control almost everything using deployment.
- Updating configuration and Deploying
We have understood how to configure deployment server to deploy the configurations onto Universal forwarders and other Splunk instances. Let’s say I need to modify some of the configuration. Now I’ve already deployed, I’ve got an update and I need to push the updates on my clients. Now let us see how we can push this updates using deployment Server for this step we’ll be using just a modified base config. We’ll add a comment into a file and we’ll see how the configuration will be reflected. So this is our universal forwarder. Presently we have our base config installed under etc apps.
So under base config we’ll see outputs conf. So this output has been downloaded from our deployment server. So let us go to our deployment server, open up outputs. com and I will add just a dummy comment check for changes. This is just a command so that Splunk records this as an output and to deploy the changes you need to reload your deployment server. For reloading we’ll be using the same utility that is Splunk for all the activities like restart, start and stop.
The command will be reload deploy iPhone Server so this is the command use it to reload your any changes for the configuration under deployment apps. So it is asking for my Splunk credentials. Once successful login. It says Reloading Server class. As you can see on our universal forwarder the file was deleted and it is going to be reinstalled fetched from the deployment server. It was almost instantaneous where I was able to notice that some file was downloaded from the deployment server and it was installed on my universal forwarder. Now let us open up this file and check for the changes. As you can see it is detected on my Notepad plus plus itself.
The file has been modified by another program. This another program is nothing but our splunk. Universal forwarder. As you can see we have our updated content in this fashion you can edit any configuration related to your universal Forwarder, splunk Indexer, Splunk Searcher, Splunk AV Forwarder any component of Splunk which is reporting to your deployment server can be modified using deployment server.
- Forward Data out of the Splunk
In this video we’ll be discussing how we can send the data out of Splunk. The data that has been indexed and stored in your Splunk instance can also be sent out to any third-party devices like Syslog servers or any other vendors who can handle Splunk data. So we will be seeing how we can achieve this. We’ll open up our search. Ed upon logging into your Search Ed or Indexer or any other Splunk instance from where you need to send your data out, click on Forwarding and Receiving and there is an option for Configuring Forwarding.
Click on Configure Forwarding add New and you can mention the IP and poor details where this data has to be sent out of the Splunk, or you need to mention the IP and the port details where this data has to be sent out to another Syslog server or third party server which can process it for further. And also along with these IP and port details, you can use Props and Transforms so that you can selectively route data to your Syslog server or your data storage server where your data from Splunk is sent and processed for further analysis.
- User Management in Splunk
In this module we’ll be completely dealing with Access management and Splunk, where we will see some of the features like creating a user, deleting a user and assigning users with special privileges. As part of our discussion on access management, we’ll be seeing how we can segregate data from one user to another user user by limiting access to data on Splunk. In this video we will see where we can find access management in Splunk and familiarize ourselves on some of the inbuilt roles and users of our Splunk installation. The roles in Splunk are similar to that of Active Directory group, where each member can be part of multiple group and depending on the group, the members will have special privileges. Similarly, in Splunk depending upon the roles, the user will have additional privileges. We will be going through all the default users and the roles present in Splunk as part of this video. In order to create users or roles in Splunk you need to visit Access Controls.
To find access control, click on settings. You’ll be able to see access controls. Click on access controls. Here you have multiple submenus where it says Authentication method. These are some of the methods that Splunk supports. Splunk supports one local authentication, that is your Splunk User Accounts, which you can create and manage on your Splunk system. The second is the LDAP. As of now, it is by default Splunk authentication which is always on and it keeps only admin account when you enable other methods of authentication like LDAP or SAML. In this LDAP it supports two factor authentication, whereas in SAML as of now, it doesn’t support two factor or multifactor authentication. So throughout this tutorial we’ll be going through our Splunk authentication.
In this menu you’ll be able to see Users and rules. Click on users. You’ll be able to see all the users as of now configured on this Splunk instance to log in and search for the information. By default, as you can see, there is only one user on this Splunk instance which is as part of your installation we have Admin User, which is the privileged user of Splunk, configured to login using Splunk authentication. This admin user is always a local Splunk user account with privileges and it cannot be disabled. The next menu is the rules. By default, Splunk has five different rules. As part of our installation we will get five different roles. You can add or customize any number of roles. This will be your baseline and it’s always recommended not to tamper or change any capabilities related to these users. So let’s start one by one. The first user is your admin privilege, that is this user account as the complete privilege except can delete. So the can delete role is only available whenever it is necessary to an admin user or any other user can be assigned at the time of necessity.
Because can delete user as a privilege to delete logs from Splunk, that is, the user belonging to Candelete role can easily wipe off or delete some of the events from appearing from your search results. The third one is power. The power user is used for creating knowledge objects and sharing knowledge objects. These power users are little bit higher end of user privilege and lower end of your admin privilege. So this is in the middle of admin and user privilege. Admin is the highest privilege and the user is the least privilege which has privileges of writing a search, fetching results, creating dashboard reports and alert. He has all the basic functionalities but this user privilege will not have any configuration changes or updating privileges on Splunk. And there is one more role that is Splunk system role which is used for running scheduled searches and other system related activities for the application to run feasibly. To summarize, admin is where most privileged can delete is the user which has the privilege to delete the logs from appearing in the search result.
The power user is a medium privileged user which is in between admin and user privilege whereas Splunk system role is a Splunk application account used for running couple of schedule searches and internal Splunk application process. And the user privilege is the least privilege and it has very limited functionalities which is required for normal operations.
- Creating Roles : Part 1
As part of our access management understanding in Splunk, we’ll be seeing in this video how to create roles and some of the capabilities and limitations that we can specify as part of role creation in Splunk in order to create a role in Splunk. Go to access control. From your settings menu, click on Access Control and choose Roles submenu. In this you’ll be able to see the default inbuilt Rules of Splunk. Click on New to create a new Splunk custom role. So upon getting this menu give a nice descriptive role name something like Linux or Linux Users. The next option is Default App so that as soon as this Linux Users login will be able to redirect them to specific UI or the specific application in Splunk. Let’s say we want them to redirect to default search and reporting app so that as soon as they log in they will be getting search and reporting app console that is with the search bar and the navigation menu of alerts, data sets, reports and dashboard.
So this will be their default login screen. The next options are search restrictions, which are most commonly left in default, but it can be very useful in order to improve your splunk performance. So here we can restrict them from using search terms that are like Windows related search terms. Since our role belongs to Linux, all the members of this role should be able to search only for Linux log. So in this way you can whitelist all the Windows machines or Windows logs using search terms. This is not so commonly used. We’ll be seeing how we can limit access to this Linux group of users to only Linux logs in further discussions. The next is limit the search time used by your Linux users. Let’s say I need only one day of logs to be searched by My. Linux users I can set a value of 8640 this is nothing but 24 hours duration in seconds which represents the users belong to this group will be able to search only one day specific logs they can’t run seven.
Days or 30 days or last year locks in their search queries. The next option is user level concurrent searches. This is basically to limit concurrent searches from this users. We don’t want them to overload Splunk with running ten. To 20 concurrent searches. So we can limit their concurrent searches to two or three based on requirement. The next option is the realtime searches. The realtime searches are the most resource consuming searches. Make sure you make this option limited. Based on role or user specific to required number of real time searches. So these two options are specific to user. Let’s say I have five people under Linux users. If I enter two concurrent jobs and two concurrent real time searches. So at a time, a user belonging to Linux Group will be able to run four searches. That is, two concurrent and two real time. But if I mention a role of five people having ten concurrent searches and ten real time jobs.
Let’s say four of my users are inactive. Only one active users we have you will be able to utilize all the ten concurrent searches and ten real time searches. So this is basically assigning resources for specific rule so that the resources have been shared efficiently. This is limit total job disk usage. Let’s say I run a search for 30 days and I got a result of size 100 MV. So this consumes disk space every time when a search runs, it occupies a part of disk in your search. And so in order to limit based on these roles, you can limit by specifying the size in MB. Let’s say I need all my Linux user to use one GB of my disk space so that after this one GB the searches will be queued and until the space is not clear, they will not be able to perform additional searches. In that case, the user itself have the privilege to clear their disk space.
- Creating Roles : Part 2
The next option is the inheritance where this role, that is the Linux users role, can inherit some of the basic roles from a Splunk default user role. So this is the lower privileged user. If you want our Linux user to be an admin, you can give them admin privileges where they can access all your Splunk configuration, edit configuration and modify these configurations. So it’s always good to give other non Splunk admins normal user privileges. The next menu is the capabilities. The capability of users are already defined as per your user role.
These roles have inbuilt capabilities which are defined by Splunk itself. In case if you would like to give them additional privileges like accelerating data model or editing indexer cluster, edit searched cluster you can give them specifically by looking for specific capabilities available as part of your Splunk. The next options are the most important and most widely used data segregation options. That is, indexes searched by default. Let’s say our users, as soon as they log in, they enter some wild card search or free form search in your search bar. So the results that are retrieved are only from your main index. So this represents by default, if they don’t specify any index value in their search, they will get only results from your default index that is main. You can set this to other indexes like Linux or Windows depending upon the role that the users are using.
Here we’ll set it to default index as Linux so that as soon as my user logs in belonging to Linux user role, he runs a free form search for error. Then you will get all the errors under Linux index. The next option is for indexes. So this indexes is nothing but the complete access where user can typically type index is equal to Windows. Although the user belonging to Linux user if he typically specifies index is equal to Windows, you will still be able to get your Windows first because we have selected all non internal index. So this indexes is nothing but the available indexes where the user can run the searches.
This index is by default. If they don’t specify any index, the results will be retrieved only from Linux index. But if they specify index is equal to Windows, they will be able to get the results because we have not listed them here. In order to do a strict limitation of data, we will remove all non internal index and give them access to only Linux index so that you’ve even though if they search free form search, they will get only Linux index. Even though if they search specifying any other index name, they will not get any other data except Linux. Click on save to create a row.
- Creating Users : Part 1
We have understood from our previous video how to create roles. Now let us see how we can create users in Splunk. In order to create users in Splunk, click on Settings. Access Control users under Users. As you can see as of now, via just our inbuilt user that is admin. To add a user, click on New. So once you are in the screen you’ll be able to provide a username which the Splunk user uses to log in and fill out these details which most of these details are optional. And here you’ll get an option to choose the role in which the user belongs to. Since we have created our custom role, we will create a user belonging to a newly created role. So these all are optional in case if you would like to fill out fill out.
- Creating Users : Part 2
We have understood from our previous video how to create roles. Now let us see how we can create users in Splunk. In order to create users in Splunk, click on Settings. Access Control users under Users. As you can see as of now via just our inbuilt user that is admin. To add a user click on New. So once you are in this screen you’ll be able to provide a username which the Splunk user uses to log in and fill out these details which most of these details are optional.
And here you’ll get an option to choose the role in which the user belongs to. Since we have created our custom role, we will create a user belonging to a newly created role. So these all are optional in case if you would like to fill out fill out. Once you have filled out all the required information for creating a user, make sure you have created the password and also assign the rules as per the requirement and click on Save. Once saved you should be able to log in using newly created user to your Splunk account. Now let us log in with our newly created username and password. With restricted access only to Linux users, we have successfully logged in to her newly created user that is demo.