114 lines
4.4 KiB
Plaintext
114 lines
4.4 KiB
Plaintext
# Splunk Configuration Template
|
|
|
|
# This file provides a template for configuring Splunk to collect and index logs.
|
|
# It includes examples for various log sources and configurations.
|
|
# Please review and modify this file according to your specific environment and requirements.
|
|
|
|
# ==============================================================================
|
|
# Global Settings
|
|
# ==============================================================================
|
|
|
|
[default]
|
|
host = <YOUR_HOSTNAME> # Replace with the actual hostname of the Splunk instance
|
|
|
|
# ==============================================================================
|
|
# Input Configuration: System Logs (Syslog)
|
|
# ==============================================================================
|
|
|
|
# Configure a UDP input for receiving syslog messages.
|
|
# Ensure your syslog daemon is configured to forward logs to this Splunk instance.
|
|
|
|
[udp://514]
|
|
connection_host = ip
|
|
sourcetype = syslog
|
|
index = main # Change if you want to index into a different index
|
|
disabled = false
|
|
|
|
# ==============================================================================
|
|
# Input Configuration: File Monitoring (Tail)
|
|
# ==============================================================================
|
|
|
|
# Monitor a specific log file. Useful for application logs.
|
|
# Adjust the path and sourcetype accordingly.
|
|
|
|
[monitor:///var/log/<YOUR_APPLICATION>/<YOUR_APPLICATION>.log]
|
|
sourcetype = <YOUR_APPLICATION>_log
|
|
index = main # Change if you want to index into a different index
|
|
disabled = false
|
|
# Optional: Multiline event breaking (if needed)
|
|
# MUST_BREAK_AFTER = ^\d{4}-\d{2}-\d{2}
|
|
|
|
# ==============================================================================
|
|
# Input Configuration: Windows Event Logs (Windows)
|
|
# ==============================================================================
|
|
|
|
# Configure Splunk to collect Windows Event Logs.
|
|
# Adjust the event logs to monitor as needed.
|
|
|
|
[WinEventLog://Application]
|
|
disabled = false
|
|
index = wineventlog
|
|
sourcetype = WinEventLog:Application
|
|
# Optional: Filter events by event code
|
|
# evt_resolve_ad_obj = 1 # Resolve AD objects
|
|
# whitelist = 4624,4625 # Example: Only collect events with ID 4624 and 4625
|
|
|
|
[WinEventLog://System]
|
|
disabled = false
|
|
index = wineventlog
|
|
sourcetype = WinEventLog:System
|
|
|
|
[WinEventLog://Security]
|
|
disabled = false
|
|
index = wineventlog
|
|
sourcetype = WinEventLog:Security
|
|
# IMPORTANT: Consider the volume of security logs and storage implications.
|
|
|
|
# ==============================================================================
|
|
# Input Configuration: Scripted Input (Example: CPU Utilization)
|
|
# ==============================================================================
|
|
|
|
# Example of a scripted input to collect CPU utilization.
|
|
# Requires a script (e.g., cpu_utilization.sh or cpu_utilization.ps1)
|
|
# that outputs the CPU utilization in a structured format (e.g., CSV, JSON).
|
|
|
|
[script://$SPLUNK_HOME/etc/apps/<YOUR_APP_NAME>/bin/cpu_utilization.sh]
|
|
interval = 60 # Run every 60 seconds
|
|
sourcetype = cpu_utilization
|
|
index = metrics # Consider a dedicated metrics index
|
|
disabled = false
|
|
|
|
# ==============================================================================
|
|
# Transformations (Optional)
|
|
# ==============================================================================
|
|
|
|
# Use transformations to modify events before they are indexed.
|
|
# Example: Masking sensitive data.
|
|
|
|
# [transform-null]
|
|
# REGEX = (.*)<SENSITIVE_FIELD>.*
|
|
# DEST_KEY = _raw
|
|
# FORMAT = $1<SENSITIVE_FIELD>MASKED
|
|
|
|
# ==============================================================================
|
|
# Index Configuration (Optional)
|
|
# ==============================================================================
|
|
|
|
# Configure index-specific settings.
|
|
|
|
# [<YOUR_INDEX_NAME>]
|
|
# homePath = $SPLUNK_DB/<YOUR_INDEX_NAME>/db
|
|
# coldPath = $SPLUNK_DB/<YOUR_INDEX_NAME>/colddb
|
|
# thawedPath = $SPLUNK_DB/<YOUR_INDEX_NAME>/thaweddb
|
|
# maxDataSize = auto
|
|
# frozenTimePeriodInSecs = 90d # 90 days retention
|
|
|
|
# ==============================================================================
|
|
# Notes
|
|
# ==============================================================================
|
|
|
|
# * Replace placeholders with actual values.
|
|
# * Ensure proper permissions are set for log files and scripts.
|
|
# * Test configurations thoroughly before deploying to production.
|
|
# * Consider using Splunk's monitoring console for health checks and troubleshooting.
|
|
# * Review Splunk documentation for detailed information on configuration options. |