You create an index for each of the types of data you want to bring into you Splunk Cloud deployment. Configure your deployment server. The deployment server allows you to centrally manage the Splunk Forwarders in your environment. Using the deployment server you can configure what data gets collected and where to send it. In this case, you use the deployment server to send data to your Splunk Cloud instance.
Configure apps and add-ons on your deployment server. You configure the Splunk Universal Forwarder app on the deployment server, and you configure the Splunk Add-on for Windows on your deployment server. Then you set up server classes so that you can push the configurations to the forwarders on your Windows machines. Configure Universal Forwarders on your Windows Machines. Forwarders are used to collect data and forwarder data to your Splunk Cloud Platform instance.
Verify that data is flowing to your Splunk Cloud Platform instance. After configuring the deployment server, add-on and forwarders, check to see if data is flowing to your Splunk Cloud Platform instance. When you have configured all your settings, you can push updates to all your forwarders from the deployment server: Step 1: Set up your Windows environment Complete the following steps to set up your Windows environment.
This can be a Linux or a Windows server. Ensure you allow adequate time to complete this task before you attempt to get data in. Request a 0 MB deployment server license from Splunk Support. Ensure you allow adequate time to complete this task. Step 3: Configure indexes on your Splunk Cloud Platform instance Create indexes to store the events you send from your Windows machines.
In this step, you create the following indexes: wineventlog : Store windows event logs perfmon : Store windows performance data msad : Store Microsoft Active Directory data dns : If collecting, store dns data dhcp : If collecting, store dhcp data Complete the following steps to create an index.
Click New Index. For the index name, enter wineventlog. For index data type, select Events. For searchable time days , enter a value that indicates the number of days the data is searchable. The image shows an example of 90 days of searchable storage. Storage is based on your subscription type. For more information on an appropriate storage value per your subscription type, see Storage in the Splunk Cloud Platform Service Description.
Be sure to refer to the correct service description version for your deployment. Optionally, you can extend your storage for longer if you have different requirements. Discuss your storage requirements with your Splunk account representative. Click No Additional Storage , and click Save : You can also set up different types of storage for expired Splunk Cloud Platform data such as self-storage or archiving.
Repeat these steps for each of the following indexes: perfmon msad dns dhcp Step 4: Configure your Splunk Deployment Server Complete the following steps to configure the deployment server Windows OS with the deployment server license and the Universal Forwarder App. Download a Splunk Enterprise instance as your deployment server. From Splunk. Log into your Splunk Cloud Platform instance.
Upload the Universal Forwarder credentials on your deployment server. Click Upload to upload the Universal Forwarder app. Configure the licensing for the deployment server. Click Restart later.
Step 5: Configure Apps and Add-Ons on your Deployment Server Add the Universal Forwarder app and the Splunk Add-on for Windows to your deployment server so that it can push forwarder and add-on configurations to all of the forwarders you install. If a local folder exists, delete it. This folder gets created when the app is installed but you need a unique outputs.
This gets recreated when the Universal Forwarder restarts. Rename each of the folders so that they represent your different Windows servers. In the folder, create a new folder called local. This is a Splunk best practice and ensures that your configuration changes are saved during an upgrade.
Also, this provides a way to revert back to the original configurations if some settings are misconfigured. Using a file editor, open the inputs.
Review the Source Types for Windows Add-Ons in the documentation to ensure that your sources are represented by this add-on. In this instance, you configure the add-on to get data in for the following Windows Event Logs: Application Security System To get the Application log data in, modify the inputs.
This enables the input. This is the index you previously configured. The example shows resulting stanza. The bold font shows which lines are changed or added. Enter outputs as the server class name and click Save. In this case, name the server class outputs because it sets the outputs. When you save these changes, you are taken to a screen to add apps or a client.
Click Add Apps and select the Universal Forwarder app. Click the name to add it to the right side and then click Save. Under Actions for the Universal Forwarder app, click Edit.
Setting Restart Splunkd lets you to restart the forwarder after you push changes to the apps via the deployment server.
Navigate to the Server Classes tab. Repeat steps for another server class called Windows servers. For step 2 customize for Windows servers. Perform a verification step: When you view the apps from the deployment server, you should see that the app and Restart Splunkd are enabled. Computer Science. Computer Security and Networks. Google Cloud Training. Enroll for Free Starts Jan Offered By. About this Course 4, recent views. Flexible deadlines.
Shareable Certificate. Beginner Level. Hours to complete. Available languages. Subtitles: English. Deploying ASP. Instructor rating. Offered by. Syllabus - What you will learn from this course. Week 1. Video 3 videos. What is Google Cloud? Quiz 1 practice exercise. Introduction to Google Cloud 10m. Video 4 videos. Compute Engine Fundamentals 7m. Architecting Windows Solutions on Compute Engine 4m.
Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? Important If a user tries to use a Microsoft Business Standard license on their Cloud PC, they might see the following error: "Account Issue: The products we found in your account cannot be used to activate Office in shared computer scenarios.
0コメント