« Update to Timelox for OpenSSH 6.1p1 | Main | Encypting folders in OS X »

Monday, December 17, 2012

Installing Splunk forwarder on OS X

Splunk has a component called a forwarder, think of this as a thin client that forwards log data to a splunk server (the indexer, in particular). Here's a basic installation procedure for OSX. For this we will be using the darwin tarball, rather that the OS X dmg. The latter stores all of the data and configure inside of the OS X app bundle, and this strikes me as a Bad Idea (tm).

Also, since splunk isn't FOSS, so you'll need to go up to splunk.com to get a copy. I'll assume you already have a server step up somewhere--if you don't, there's no point to doing this.

Some general notes

The darwin forwarder installs in /opt. This is good in general, since it keeps the installation away from Apple's version of unixy goodness, but it might cause some issues if you use Darwin ports. I don't know if it does, since I don't use Darwin ports.

You have an option to use SSL to connect to the server. You should do this, but in my case, I found it better to try things out in a test setup without using SSL since setting up the certs can be a pain.

Initially, we'll try this running the splunk forwarder as root, but then we'll cut over to a different user. Running process as root if you don't have to is not a great idea.

You might also check out this:


Installing Splunk forwarder

So your first step is to get the splunk universal forwarder. Go ahead, I'll wait here.

Sudo to a root shell:

sudo /bin/bash

We'll do this all as root, so be careful with your typing.

Make a directory for this:

mkdir /opt

cd /opt

Assuming you downloaded the splunk forwarder through the browser, it should be in Downloads, copy it to /opt (but keep in mind that you'll be installing a later version than this, so the names will change).

cp ~/Downloads/splunkforwarder-4.3.1-119532-Darwin-universal.tgz /opt

Unpack the forwarder and enter the directory:

tar -xvzf splunkforwarder-4.3.1-119532-Darwin-universal.tgz

cd splunkforwarder

Start splunk

/opt/splunkforwarder/bin/splunk start --accept-license;

Open a second terminal window,

sudo /bin/bash

cd /opt/splunkforwarder/var/log/splunk

tail -f splunkd.log

You can check this window to see how well your forwarder is working.

Add your server to the configuration, you'll be prompted for your splunk userid and password for this, so it will be admin and whatever you changed your password to from changeme. Also, the ip number of your server is likely to be different:

/opt/splunkforwarder/bin/splunk add forward-server

Now, let's add a couple of logs to foward to the server:

/opt/splunkforwarder/bin/splunk add monitor /var/log/secure.log

/opt/splunkforwarder/bin/splunk add monitor /var/log/system.log

If everything goes well, at this point you should be able to look at the system.log and the secure.log from your splunk server's web interface.

Adding SSL Support

This is the best simple explanation I've found for using SSL with splunk. For this method, we're relying on splunk to make the CA, and then producing signed certs with passwords for some additional security.


Make a space to store the certs out of the way of the default installation:

mkdir /opt/splunkforwarder/etc/certs

chmod og-wrx certs

Posted by bil at 6:00 PM
Categories: Other Software, Work