The task sounds simple: Manage all events and logs from all your servers centrally and make them easily accessible.

The problem is a bit more complex: You have different operating systems and different logging facilities in all your (branch) offices.

The way to go: Unless you are a big corporation and can afford the LogLogic product line, you will have to resort to something more.. cost effective.

The solution to your problem: Enter the world of Snare and Splunk.

No, they are not some cartoon characters. Snare is a free (as in BEER) log agent for many different Operating Systems (Windows, OS X, Linux, Solaris etc.) and Splunk is a logging server that can take many different log inputs.

Now what does that mean? It’s simple really, you can install and get the SNARE agent for almost every major OS out there (check resources at the end of this how-to) and it will happily collect the logs and events from that machine, based on your criteria, and forward it to a central log collecting server. Of course they want you to buy the SNARE Server but Splunk can index and handle SNARE data easily and I will show you how.

First off, we are using my trusty old server, Shorty. It is running a few VMWare machines, which we will use for logging purposes, and Splunk.
Splunk is a bit hard to describe. It is a central logging facility that collects your logs and you can search or view them much like you would use Google. So yes, it is kind of like your own private search engine for your logs. You can view them also by host and criticality. But most importantly you can search for specific keywords and it will show you all occurrances. For example, if you want to see where Paul has logged in lately, you can type in paul logon and it will display all the log events that paul caused by logging on.

Now on to the good part, this is all based on Ubuntu but Splunk is available in many flavors. This will install the free version of Splunk which is pretty much all we need.
If you want to get the Ubuntu (Debian) Splunk package with a browser, use this link and if you want to get it straight to your server that has only wget installed you can use this line (remove the \ and make it one line):

wget 'http://www.splunk.com/index.php/download_track?file=/2.2/linux/splunk-2.2-15292-linux-2.6-intel.deb

\&ac=&wget=true&name=wget'

Once you have it, it is really simple to install:

sudo dpkg -i splunk-2.2-15292-linux-2.6-intel.deb

Or whatever the version is you are using. This works on Debian AND Ubuntu (or any *buntu) and once it is installed, you are pretty much done. You can start it right away and it will tell you how to do that, by typing:

/opt/splunk/bin/splunk start

A lot of things will happen, such as sanity checks and database checks, but in the end you should see this:

All index checks passed
Starting splunkd...
Starting splunkweb...Generating certs for splunkweb server

Splunk Server started. The web interface is at http://localhost:8000

Wow! You are done. You can now access the Splunk web interface from port 8000 on you server. Now you have a nice logging server with a clean interface but you have no data coming in, yet. A good thing to add right away is the local logs. You WANT to know when someone is messing with your log server. So to add all local logs, just type the following line at the command prompt:

/opt/splunk/bin/splunk add tail /var/log

If you now log into your Splunk server you should see quite a few events already piled up, as it imports all the log messages it can find from all the live logs on your local server. It should look something like this:

From now on it gets pretty easy, you need to download the agent you want to install on the servers (such as SNARE for Windows) and configure it to log remotely :).
Ok small steps first. Splunk is so flexible, it allows you to get logs from different servers on different ports if you want to. But for brevity sake we will concentrate on UDP traffic.

So first off, log into your Splunk server and click on the little ADMIN button on the top left hand corner:

On the resulting screen, click on Data Inputs:

And then on the Network Ports line click on ADD INPUT.

Now, click on UDP and enter 3000, for example. Select YES in Accept connections from all hosts, and in Source type leave SELECT FROM LIST and then select in the Source Type: windows_snare_syslog. Click on Add and you will be presented with a screen like this:

Very good , you can now close the browser window if you want to.
You need to log into your Windows Machine now, in my case a Virtual Windows 2003 Server. Download the SNARE agent (URLs at the end) and run the setup once you have it:

You can pretty much accept the defaults as you need to configure the service anyway through its web interface later. Once you have complete the setup, the configuration web interface will come up.

NOTE: These steps are the same for any OS that you install SNARE on

The first thing to do is to set a password for the remote configuration:

The most important screen however is the Network configuration in the SNARE configuration screen:

The important bits are the Destination SNARE server address where you put the IP address or DNS name of your Splunkserver. Then the Destination port, set it to 3000 as we configured the Data Input on Splunk. Also select the Perform a scan of ALL objectives and Enable Syslog Header. The Syslog facility I use is Daemon and the Priority Information. Then simply click Change Configuration and close the browser window once it says that the configuration has been changed. NOTICE: you need to restart the SNARE service on the Windows machine now.

If you wait about 5 minutes, you can log into your Splunk interface and lo and behold events from the Windows Machine are coming in (the 10.0.0.101 IP):

Now, to test your setup just type user logon in the search and as you can see we are getting the results nicely listed. You can play around or just read the excellent documentation on Splunks website.

Resources:

• Snare agents for the different Operating Systems
• Snare guides and documentation for agents and white papers
• Splunk website (Documentation)
• Splunk website (Downloads for the different Operating Systems)

PS: if you do find this helpfull, I don’t mind if you click on any of the nice google ads in order to pay for the hosting. No donation required, and I will never ask for one.

Popularity: 13% [?]