Initial commit
This commit is contained in:
Zhongwei Li
114
skills/log-aggregation-setup/assets/splunk_config_template.conf
Normal file
114
skills/log-aggregation-setup/assets/splunk_config_template.conf
Normal file
@@ -0,0 +1,114 @@
|
||||
# Splunk Configuration Template
|
||||
|
||||
# This file provides a template for configuring Splunk to collect and index logs.
|
||||
# It includes examples for various log sources and configurations.
|
||||
# Please review and modify this file according to your specific environment and requirements.
|
||||
|
||||
# ==============================================================================
|
||||
# Global Settings
|
||||
# ==============================================================================
|
||||
|
||||
[default]
|
||||
host = <YOUR_HOSTNAME> # Replace with the actual hostname of the Splunk instance
|
||||
|
||||
# ==============================================================================
|
||||
# Input Configuration: System Logs (Syslog)
|
||||
# ==============================================================================
|
||||
|
||||
# Configure a UDP input for receiving syslog messages.
|
||||
# Ensure your syslog daemon is configured to forward logs to this Splunk instance.
|
||||
|
||||
[udp://514]
|
||||
connection_host = ip
|
||||
sourcetype = syslog
|
||||
index = main # Change if you want to index into a different index
|
||||
disabled = false
|
||||
|
||||
# ==============================================================================
|
||||
# Input Configuration: File Monitoring (Tail)
|
||||
# ==============================================================================
|
||||
|
||||
# Monitor a specific log file. Useful for application logs.
|
||||
# Adjust the path and sourcetype accordingly.
|
||||
|
||||
[monitor:///var/log/<YOUR_APPLICATION>/<YOUR_APPLICATION>.log]
|
||||
sourcetype = <YOUR_APPLICATION>_log
|
||||
index = main # Change if you want to index into a different index
|
||||
disabled = false
|
||||
# Optional: Multiline event breaking (if needed)
|
||||
# MUST_BREAK_AFTER = ^\d{4}-\d{2}-\d{2}
|
||||
|
||||
# ==============================================================================
|
||||
# Input Configuration: Windows Event Logs (Windows)
|
||||
# ==============================================================================
|
||||
|
||||
# Configure Splunk to collect Windows Event Logs.
|
||||
# Adjust the event logs to monitor as needed.
|
||||
|
||||
[WinEventLog://Application]
|
||||
disabled = false
|
||||
index = wineventlog
|
||||
sourcetype = WinEventLog:Application
|
||||
# Optional: Filter events by event code
|
||||
# evt_resolve_ad_obj = 1 # Resolve AD objects
|
||||
# whitelist = 4624,4625 # Example: Only collect events with ID 4624 and 4625
|
||||
|
||||
[WinEventLog://System]
|
||||
disabled = false
|
||||
index = wineventlog
|
||||
sourcetype = WinEventLog:System
|
||||
|
||||
[WinEventLog://Security]
|
||||
disabled = false
|
||||
index = wineventlog
|
||||
sourcetype = WinEventLog:Security
|
||||
# IMPORTANT: Consider the volume of security logs and storage implications.
|
||||
|
||||
# ==============================================================================
|
||||
# Input Configuration: Scripted Input (Example: CPU Utilization)
|
||||
# ==============================================================================
|
||||
|
||||
# Example of a scripted input to collect CPU utilization.
|
||||
# Requires a script (e.g., cpu_utilization.sh or cpu_utilization.ps1)
|
||||
# that outputs the CPU utilization in a structured format (e.g., CSV, JSON).
|
||||
|
||||
[script://$SPLUNK_HOME/etc/apps/<YOUR_APP_NAME>/bin/cpu_utilization.sh]
|
||||
interval = 60 # Run every 60 seconds
|
||||
sourcetype = cpu_utilization
|
||||
index = metrics # Consider a dedicated metrics index
|
||||
disabled = false
|
||||
|
||||
# ==============================================================================
|
||||
# Transformations (Optional)
|
||||
# ==============================================================================
|
||||
|
||||
# Use transformations to modify events before they are indexed.
|
||||
# Example: Masking sensitive data.
|
||||
|
||||
# [transform-null]
|
||||
# REGEX = (.*)<SENSITIVE_FIELD>.*
|
||||
# DEST_KEY = _raw
|
||||
# FORMAT = $1<SENSITIVE_FIELD>MASKED
|
||||
|
||||
# ==============================================================================
|
||||
# Index Configuration (Optional)
|
||||
# ==============================================================================
|
||||
|
||||
# Configure index-specific settings.
|
||||
|
||||
# [<YOUR_INDEX_NAME>]
|
||||
# homePath = $SPLUNK_DB/<YOUR_INDEX_NAME>/db
|
||||
# coldPath = $SPLUNK_DB/<YOUR_INDEX_NAME>/colddb
|
||||
# thawedPath = $SPLUNK_DB/<YOUR_INDEX_NAME>/thaweddb
|
||||
# maxDataSize = auto
|
||||
# frozenTimePeriodInSecs = 90d # 90 days retention
|
||||
|
||||
# ==============================================================================
|
||||
# Notes
|
||||
# ==============================================================================
|
||||
|
||||
# * Replace placeholders with actual values.
|
||||
# * Ensure proper permissions are set for log files and scripts.
|
||||
# * Test configurations thoroughly before deploying to production.
|
||||
# * Consider using Splunk's monitoring console for health checks and troubleshooting.
|
||||
# * Review Splunk documentation for detailed information on configuration options.
|
||||
Reference in New Issue
Block a user