[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:01.19,Default,,0000,0000,0000,,
Dialogue: 0,0:00:01.19,0:00:02.58,Default,,0000,0000,0000,,Welcome to SDN TechForum.
Dialogue: 0,0:00:02.58,0:00:08.40,Default,,0000,0000,0000,,So let's continue from our\Nearlier video, ASA Essential.
Dialogue: 0,0:00:08.40,0:00:12.83,Default,,0000,0000,0000,,And in ASA Essential, we\Ndid essential configuration,
Dialogue: 0,0:00:12.83,0:00:16.83,Default,,0000,0000,0000,,like SSH, SNMP, NetFlow, SPAN,\Nsyslog, and packet tracer.
Dialogue: 0,0:00:16.83,0:00:21.38,Default,,0000,0000,0000,,So now, what happened, this\NASA is sending all the logs
Dialogue: 0,0:00:21.38,0:00:23.16,Default,,0000,0000,0000,,to a syslog server.
Dialogue: 0,0:00:23.16,0:00:26.43,Default,,0000,0000,0000,,And in this video, we are\Ngoing to start a new topic.
Dialogue: 0,0:00:26.43,0:00:29.77,Default,,0000,0000,0000,,And that topic is\NFun with Splunk.
Dialogue: 0,0:00:29.77,0:00:32.22,Default,,0000,0000,0000,,So you may be thinking like,\Nam I watching old video?
Dialogue: 0,0:00:32.22,0:00:34.58,Default,,0000,0000,0000,,No, we'll continue\Nfrom there and continue
Dialogue: 0,0:00:34.58,0:00:37.80,Default,,0000,0000,0000,,building up what we did so far.
Dialogue: 0,0:00:37.80,0:00:38.34,Default,,0000,0000,0000,,OK.
Dialogue: 0,0:00:38.34,0:00:42.14,Default,,0000,0000,0000,,Fun with Splunk, as you can see.
Dialogue: 0,0:00:42.14,0:00:44.43,Default,,0000,0000,0000,,What we are going to\Ndo, as a side note,
Dialogue: 0,0:00:44.43,0:00:46.94,Default,,0000,0000,0000,,I'm going to show\Nyou how to configure
Dialogue: 0,0:00:46.94,0:00:52.58,Default,,0000,0000,0000,,a syslog-ng server on Ubuntu,\Nwith a Raspberry Pi on laptop.
Dialogue: 0,0:00:52.58,0:00:55.96,Default,,0000,0000,0000,,And then we will\Nstart with Splunk.
Dialogue: 0,0:00:55.96,0:00:57.38,Default,,0000,0000,0000,,So what I'm going\Nto do, I'm going
Dialogue: 0,0:00:57.38,0:00:59.40,Default,,0000,0000,0000,,to install the Splunk server.
Dialogue: 0,0:00:59.40,0:01:02.25,Default,,0000,0000,0000,,I'm going to use a\Nfree trial version.
Dialogue: 0,0:01:02.25,0:01:05.59,Default,,0000,0000,0000,,I'll install it on\Na Windows machine.
Dialogue: 0,0:01:05.59,0:01:06.22,Default,,0000,0000,0000,,All right.
Dialogue: 0,0:01:06.22,0:01:11.92,Default,,0000,0000,0000,,Then we will have a Splunk\Nuniversal forwarder,
Dialogue: 0,0:01:11.92,0:01:16.18,Default,,0000,0000,0000,,which is a small CPU.
Dialogue: 0,0:01:16.18,0:01:18.52,Default,,0000,0000,0000,,I mean, it's not very\Nresource-intensive.
Dialogue: 0,0:01:18.52,0:01:23.73,Default,,0000,0000,0000,,It's a lightweight agent\Nsetting on the places
Dialogue: 0,0:01:23.73,0:01:26.46,Default,,0000,0000,0000,,where you have the\Ndata, the data which
Dialogue: 0,0:01:26.46,0:01:28.62,Default,,0000,0000,0000,,you want to input\Nto the Splunk server
Dialogue: 0,0:01:28.62,0:01:32.28,Default,,0000,0000,0000,,so that you can index it,\Ncrunch it, and visualize it.
Dialogue: 0,0:01:32.28,0:01:35.01,Default,,0000,0000,0000,,So this universal\Nforwarders, they
Dialogue: 0,0:01:35.01,0:01:40.17,Default,,0000,0000,0000,,will be sitting on the sources\Nwhere we have our data storage,
Dialogue: 0,0:01:40.17,0:01:44.55,Default,,0000,0000,0000,,and which is generally a\NLinux machine or Windows.
Dialogue: 0,0:01:44.55,0:01:50.91,Default,,0000,0000,0000,,Then I'll show you how to input\Ndata from forwarder-- so what
Dialogue: 0,0:01:50.91,0:01:52.15,Default,,0000,0000,0000,,rules you need to create.
Dialogue: 0,0:01:52.15,0:01:54.84,Default,,0000,0000,0000,,And then, finally, we'll come\Nback to the Splunk Dashboard
Dialogue: 0,0:01:54.84,0:01:58.86,Default,,0000,0000,0000,,again and see if we can\Nmanage the forwarder status.
Dialogue: 0,0:01:58.86,0:02:02.27,Default,,0000,0000,0000,,And also, we can crunch\Nthat data, index that data,
Dialogue: 0,0:02:02.27,0:02:03.84,Default,,0000,0000,0000,,search that data,\Nall those things.
Dialogue: 0,0:02:03.84,0:02:08.04,Default,,0000,0000,0000,,So this is not going to be\Nvery Splunk-intensive video,
Dialogue: 0,0:02:08.04,0:02:11.83,Default,,0000,0000,0000,,but a lightweight good\Nfor you to get started.
Dialogue: 0,0:02:11.83,0:02:13.49,Default,,0000,0000,0000,,And at the same\Ntime, finally, I'll
Dialogue: 0,0:02:13.49,0:02:16.34,Default,,0000,0000,0000,,give you some forwarder\Ntroubleshooting tips
Dialogue: 0,0:02:16.34,0:02:19.97,Default,,0000,0000,0000,,because, many times,\Nforwarders, once you set up
Dialogue: 0,0:02:19.97,0:02:21.92,Default,,0000,0000,0000,,the channel, after\Nsome time, you
Dialogue: 0,0:02:21.92,0:02:23.91,Default,,0000,0000,0000,,may see that forwarder\Nis not sending data.
Dialogue: 0,0:02:23.91,0:02:26.96,Default,,0000,0000,0000,,So how to troubleshoot\Nthat, I'll show you that.
Dialogue: 0,0:02:26.96,0:02:27.86,Default,,0000,0000,0000,,OK.
Dialogue: 0,0:02:27.86,0:02:32.54,Default,,0000,0000,0000,,So quickly, let's first\Nreview the syslog-ng server
Dialogue: 0,0:02:32.54,0:02:34.78,Default,,0000,0000,0000,,configuration requirement.
Dialogue: 0,0:02:34.78,0:02:38.04,Default,,0000,0000,0000,,So this is for a\NLinux Ubuntu machine.
Dialogue: 0,0:02:38.04,0:02:40.82,Default,,0000,0000,0000,,So what you have to\Ndo, you have to get
Dialogue: 0,0:02:40.82,0:02:43.13,Default,,0000,0000,0000,,apt-get install syslog-ng.
Dialogue: 0,0:02:43.13,0:02:48.17,Default,,0000,0000,0000,,And then, basically, that will\Ninstall the syslog-ng server
Dialogue: 0,0:02:48.17,0:02:54.30,Default,,0000,0000,0000,,and then validate if it is\Nlistening to port number 514.
Dialogue: 0,0:02:54.30,0:02:58.91,Default,,0000,0000,0000,,You can also watch\Nvalidate the status
Dialogue: 0,0:02:58.91,0:03:01.08,Default,,0000,0000,0000,,by using sudo services\Nstatus syslog-ng.
Dialogue: 0,0:03:01.08,0:03:03.70,Default,,0000,0000,0000,,So syslog-ng is started.
Dialogue: 0,0:03:03.70,0:03:06.49,Default,,0000,0000,0000,,It's listening on\Nport number 514.
Dialogue: 0,0:03:06.49,0:03:07.81,Default,,0000,0000,0000,,Now what we have to do?
Dialogue: 0,0:03:07.81,0:03:09.19,Default,,0000,0000,0000,,We already did that.
Dialogue: 0,0:03:09.19,0:03:15.15,Default,,0000,0000,0000,,Actually, ASA is sending\Nsyslogs to port number 514
Dialogue: 0,0:03:15.15,0:03:17.02,Default,,0000,0000,0000,,or to this server, all right?
Dialogue: 0,0:03:17.02,0:03:18.72,Default,,0000,0000,0000,,So I'll show you that.
Dialogue: 0,0:03:18.72,0:03:21.81,Default,,0000,0000,0000,,And then we will talk about how\Nto do in universal forwarder
Dialogue: 0,0:03:21.81,0:03:22.39,Default,,0000,0000,0000,,config.
Dialogue: 0,0:03:22.39,0:03:27.60,Default,,0000,0000,0000,,But let's first validate\Nsyslog-ng server.
Dialogue: 0,0:03:27.60,0:03:31.44,Default,,0000,0000,0000,,So this is our ASA.
Dialogue: 0,0:03:31.44,0:03:35.02,Default,,0000,0000,0000,,Mind it, this is going to be\Na little demo-intensive video.
Dialogue: 0,0:03:35.02,0:03:37.80,Default,,0000,0000,0000,,So please try to\Nfollow along with me.
Dialogue: 0,0:03:37.80,0:03:41.25,Default,,0000,0000,0000,,
Dialogue: 0,0:03:41.25,0:03:46.26,Default,,0000,0000,0000,,So as you can see, ASA\Nis sending this logs
Dialogue: 0,0:03:46.26,0:03:48.76,Default,,0000,0000,0000,,to 192.168.1.22.
Dialogue: 0,0:03:48.76,0:03:50.79,Default,,0000,0000,0000,,And that is our Ubuntu server.
Dialogue: 0,0:03:50.79,0:03:55.86,Default,,0000,0000,0000,,All right, I'm going to\Nshow you that IP address.
Dialogue: 0,0:03:55.86,0:03:58.50,Default,,0000,0000,0000,,IP address is 192.1 in this.
Dialogue: 0,0:03:58.50,0:04:12.04,Default,,0000,0000,0000,,And let's do netstat grep 514.
Dialogue: 0,0:04:12.04,0:04:15.88,Default,,0000,0000,0000,,So you can see, this is already\Nlistening on port number 514
Dialogue: 0,0:04:15.88,0:04:21.75,Default,,0000,0000,0000,,for TCP/UDP and receiving\Nall the syslog details, OK?
Dialogue: 0,0:04:21.75,0:04:27.97,Default,,0000,0000,0000,,
Dialogue: 0,0:04:27.97,0:04:36.46,Default,,0000,0000,0000,,Now, it is our turn to\Ninstall Splunk forwarder.
Dialogue: 0,0:04:36.46,0:04:42.26,Default,,0000,0000,0000,,Before we do Splunk forwarding,\Nlet's go to the Splunk website,
Dialogue: 0,0:04:42.26,0:04:42.76,Default,,0000,0000,0000,,all right?
Dialogue: 0,0:04:42.76,0:04:47.39,Default,,0000,0000,0000,,So here I am on Splunk website,\Nand I want free Splunk.
Dialogue: 0,0:04:47.39,0:04:53.14,Default,,0000,0000,0000,,So I created an account here and\Ndownloaded the Splunk Enterprise
Dialogue: 0,0:04:53.14,0:04:56.26,Default,,0000,0000,0000,,software, OK?
Dialogue: 0,0:04:56.26,0:04:59.36,Default,,0000,0000,0000,,Not the cloud one,\Nthe Splunk 8.5,
Dialogue: 0,0:04:59.36,0:05:02.27,Default,,0000,0000,0000,,which is the current software.
Dialogue: 0,0:05:02.27,0:05:04.92,Default,,0000,0000,0000,,You can say Free Splunk,\Nand you can download.
Dialogue: 0,0:05:04.92,0:05:08.33,Default,,0000,0000,0000,,I already downloaded it, so I'm\Nnot going to download it again.
Dialogue: 0,0:05:08.33,0:05:11.57,Default,,0000,0000,0000,,As you can see, this is a\N60-day free trial for Splunk
Dialogue: 0,0:05:11.57,0:05:12.30,Default,,0000,0000,0000,,Enterprise.
Dialogue: 0,0:05:12.30,0:05:15.89,Default,,0000,0000,0000,,This is what I downloaded and\Ninstalled on a Windows machine,
Dialogue: 0,0:05:15.89,0:05:18.32,Default,,0000,0000,0000,,OK?
Dialogue: 0,0:05:18.32,0:05:21.81,Default,,0000,0000,0000,,So here is your main\NSplunk dashboard.
Dialogue: 0,0:05:21.81,0:05:25.07,Default,,0000,0000,0000,,What we are going to do, we are\Ngoing to do a couple of things.
Dialogue: 0,0:05:25.07,0:05:30.53,Default,,0000,0000,0000,,First is we are going to\Nmake this server listen
Dialogue: 0,0:05:30.53,0:05:34.43,Default,,0000,0000,0000,,for data stream, right?
Dialogue: 0,0:05:34.43,0:05:36.47,Default,,0000,0000,0000,,Multiple ways, you can add data.
Dialogue: 0,0:05:36.47,0:05:39.59,Default,,0000,0000,0000,,Like here, if you\Nclick on Add Data,
Dialogue: 0,0:05:39.59,0:05:41.54,Default,,0000,0000,0000,,there are multiple options.
Dialogue: 0,0:05:41.54,0:05:43.08,Default,,0000,0000,0000,,I'm going to skip the tour.
Dialogue: 0,0:05:43.08,0:05:47.40,Default,,0000,0000,0000,,You can do networking,\Nyou can do OS, and upload.
Dialogue: 0,0:05:47.40,0:05:48.84,Default,,0000,0000,0000,,You can actually\Nupload the data.
Dialogue: 0,0:05:48.84,0:05:51.53,Default,,0000,0000,0000,,So if you have a\Ncompressed file,
Dialogue: 0,0:05:51.53,0:05:53.27,Default,,0000,0000,0000,,CSV file, you can\Nactually upload it.
Dialogue: 0,0:05:53.27,0:05:55.52,Default,,0000,0000,0000,,But that's not\Nvery scalable way.
Dialogue: 0,0:05:55.52,0:06:00.01,Default,,0000,0000,0000,,We want our data to be\Ncontinuously sent as a stream,
Dialogue: 0,0:06:00.01,0:06:03.25,Default,,0000,0000,0000,,and then Splunk to do\Nall those indexing so
Dialogue: 0,0:06:03.25,0:06:04.61,Default,,0000,0000,0000,,that we can run our searches.
Dialogue: 0,0:06:04.61,0:06:06.04,Default,,0000,0000,0000,,So for that, what\Nyou have to do,
Dialogue: 0,0:06:06.04,0:06:10.07,Default,,0000,0000,0000,,you have to prepare your Splunk\Nto listen on certain ports.
Dialogue: 0,0:06:10.07,0:06:14.18,Default,,0000,0000,0000,,And that is called\Nreceiving here, OK?
Dialogue: 0,0:06:14.18,0:06:20.44,Default,,0000,0000,0000,,Forwarding and receiving--\Nconfigure receiving, OK?
Dialogue: 0,0:06:20.44,0:06:22.42,Default,,0000,0000,0000,,We don't want to\Nconfigure forwarding here
Dialogue: 0,0:06:22.42,0:06:25.15,Default,,0000,0000,0000,,because we will be\Nusing forwarding agents.
Dialogue: 0,0:06:25.15,0:06:27.82,Default,,0000,0000,0000,,Only thing is, I want\Nthis Splunk server
Dialogue: 0,0:06:27.82,0:06:29.39,Default,,0000,0000,0000,,to listen on certain port.
Dialogue: 0,0:06:29.39,0:06:33.20,Default,,0000,0000,0000,,And that is port\Nnumber triple 97, 9997.
Dialogue: 0,0:06:33.20,0:06:34.82,Default,,0000,0000,0000,,And that's the default\Nport for Splunk.
Dialogue: 0,0:06:34.82,0:06:38.17,Default,,0000,0000,0000,,So I kept it default. OK,\Nthat's all you want to do here.
Dialogue: 0,0:06:38.17,0:06:43.96,Default,,0000,0000,0000,,Now, since this server is\Nlistening on the designated
Dialogue: 0,0:06:43.96,0:06:46.15,Default,,0000,0000,0000,,port, so now it is\Nour turn to configure
Dialogue: 0,0:06:46.15,0:06:47.50,Default,,0000,0000,0000,,the universal forwarder.
Dialogue: 0,0:06:47.50,0:06:49.39,Default,,0000,0000,0000,,And for that, what\Ndo you have to do?
Dialogue: 0,0:06:49.39,0:06:53.30,Default,,0000,0000,0000,,You have to download\Nthe forwarder, OK?
Dialogue: 0,0:06:53.30,0:06:55.67,Default,,0000,0000,0000,,And I'll show you from where\Nto download the forwarder.
Dialogue: 0,0:06:55.67,0:07:01.55,Default,,0000,0000,0000,,So you can do sudo wget and\Nthe wget IP on this part
Dialogue: 0,0:07:01.55,0:07:04.53,Default,,0000,0000,0000,,so that it will get\Ndownloaded to your machine.
Dialogue: 0,0:07:04.53,0:07:07.85,Default,,0000,0000,0000,,And then what you can do is\Nyou can copy that forwarder,
Dialogue: 0,0:07:07.85,0:07:11.52,Default,,0000,0000,0000,,what you downloaded, to\Na third-party directory
Dialogue: 0,0:07:11.52,0:07:13.29,Default,,0000,0000,0000,,or a third-party\Nsoftware directory,
Dialogue: 0,0:07:13.29,0:07:16.56,Default,,0000,0000,0000,,which is /opt cd plus cp.
Dialogue: 0,0:07:16.56,0:07:21.08,Default,,0000,0000,0000,,And then whatever you\Ndownloaded, copy it to /opt.
Dialogue: 0,0:07:21.08,0:07:23.84,Default,,0000,0000,0000,,Then go to that\Ndirectory, sudo/opt,
Dialogue: 0,0:07:23.84,0:07:28.64,Default,,0000,0000,0000,,and do a sudo D package,\Nwhich is like a package
Dialogue: 0,0:07:28.64,0:07:29.70,Default,,0000,0000,0000,,manager for Ubuntu.
Dialogue: 0,0:07:29.70,0:07:32.67,Default,,0000,0000,0000,,And this is what you have to do.
Dialogue: 0,0:07:32.67,0:07:37.40,Default,,0000,0000,0000,,You may need ins curl\Nbecause it is running
Dialogue: 0,0:07:37.40,0:07:38.58,Default,,0000,0000,0000,,some background curl checks.
Dialogue: 0,0:07:38.58,0:07:42.29,Default,,0000,0000,0000,,So make sure you have the\Ncurl utility installed.
Dialogue: 0,0:07:42.29,0:07:46.83,Default,,0000,0000,0000,,And if not, then you have to\Ndo dpkg-reconfigure again, OK?
Dialogue: 0,0:07:46.83,0:07:50.07,Default,,0000,0000,0000,,Once you do that, it will\Ninstall the software.
Dialogue: 0,0:07:50.07,0:07:53.18,Default,,0000,0000,0000,,Now, finally, what\Nyou can do, when
Dialogue: 0,0:07:53.18,0:07:57.05,Default,,0000,0000,0000,,you do a list of\Ndirectories, you
Dialogue: 0,0:07:57.05,0:08:01.17,Default,,0000,0000,0000,,can see there is a directory\Ncreated called splunkforwarder.
Dialogue: 0,0:08:01.17,0:08:02.76,Default,,0000,0000,0000,,Go to splunkforwarder there.
Dialogue: 0,0:08:02.76,0:08:05.38,Default,,0000,0000,0000,,Under that, go to bin directory.
Dialogue: 0,0:08:05.38,0:08:09.84,Default,,0000,0000,0000,,And that is the directory where\Nyou can start, stop, or restart
Dialogue: 0,0:08:09.84,0:08:13.03,Default,,0000,0000,0000,,your Splunk instance,\Nuniversal forwarder instance.
Dialogue: 0,0:08:13.03,0:08:17.74,Default,,0000,0000,0000,,So we are going to go to cd\Nbin and say sudo splunk start.
Dialogue: 0,0:08:17.74,0:08:21.81,Default,,0000,0000,0000,,And make sure you accept the\Nlicense from command line,
Dialogue: 0,0:08:21.81,0:08:22.45,Default,,0000,0000,0000,,like this.
Dialogue: 0,0:08:22.45,0:08:26.82,Default,,0000,0000,0000,,Otherwise, you will have to read\Nthe entire license by pressing
Dialogue: 0,0:08:26.82,0:08:29.13,Default,,0000,0000,0000,,Page Up and Page Down.
Dialogue: 0,0:08:29.13,0:08:31.55,Default,,0000,0000,0000,,And, finally, you can validate\Nthe Splunk status check.
Dialogue: 0,0:08:31.55,0:08:32.05,Default,,0000,0000,0000,,All right.
Dialogue: 0,0:08:32.05,0:08:35.48,Default,,0000,0000,0000,,So I'm going to show you all\Nthis on the forwarder itself.
Dialogue: 0,0:08:35.48,0:08:38.16,Default,,0000,0000,0000,,
Dialogue: 0,0:08:38.16,0:08:39.66,Default,,0000,0000,0000,,So let's go.
Dialogue: 0,0:08:39.66,0:08:42.87,Default,,0000,0000,0000,,As you can see, I downloaded\Nthis forwarder here
Dialogue: 0,0:08:42.87,0:08:46.95,Default,,0000,0000,0000,,and then parked it to opt.
Dialogue: 0,0:08:46.95,0:08:52.20,Default,,0000,0000,0000,,And here you can see\NSplunk forwarder is there.
Dialogue: 0,0:08:52.20,0:08:57.15,Default,,0000,0000,0000,,Under Splunk forwarder, we\Nhave lot of directories, right?
Dialogue: 0,0:08:57.15,0:09:00.98,Default,,0000,0000,0000,,All the local\Nconfiguration-related things
Dialogue: 0,0:09:00.98,0:09:05.97,Default,,0000,0000,0000,,are stored in etc, just like\Nany Ubuntu Linux system.
Dialogue: 0,0:09:05.97,0:09:09.45,Default,,0000,0000,0000,,But this is only for\NSplunk-related files, all right?
Dialogue: 0,0:09:09.45,0:09:12.96,Default,,0000,0000,0000,,But right now, we are interested\Nin checking the status.
Dialogue: 0,0:09:12.96,0:09:18.05,Default,,0000,0000,0000,,So what you can do, you can\Njust go to bin directory
Dialogue: 0,0:09:18.05,0:09:20.83,Default,,0000,0000,0000,,and then do a sudo.
Dialogue: 0,0:09:20.83,0:09:27.14,Default,,0000,0000,0000,,
Dialogue: 0,0:09:27.14,0:09:32.60,Default,,0000,0000,0000,,So Splunk status.
Dialogue: 0,0:09:32.60,0:09:35.30,Default,,0000,0000,0000,,
Dialogue: 0,0:09:35.30,0:09:37.88,Default,,0000,0000,0000,,When you install, it will\Nask you to create a username
Dialogue: 0,0:09:37.88,0:09:38.67,Default,,0000,0000,0000,,and password.
Dialogue: 0,0:09:38.67,0:09:42.65,Default,,0000,0000,0000,,And that's the-- but this is\Nthe sudo username, password.
Dialogue: 0,0:09:42.65,0:09:45.71,Default,,0000,0000,0000,,OK, Splunk command not found.
Dialogue: 0,0:09:45.71,0:09:47.09,Default,,0000,0000,0000,,OK, pwd/bin.
Dialogue: 0,0:09:47.09,0:09:49.85,Default,,0000,0000,0000,,
Dialogue: 0,0:09:49.85,0:09:52.32,Default,,0000,0000,0000,,I am not in the\Ncorrect file, OK?
Dialogue: 0,0:09:52.32,0:09:53.31,Default,,0000,0000,0000,,That is the reason.
Dialogue: 0,0:09:53.31,0:09:55.65,Default,,0000,0000,0000,,So let me start over.
Dialogue: 0,0:09:55.65,0:10:02.13,Default,,0000,0000,0000,,I'm going to say\Ncd/opt/splunkforwarder bin.
Dialogue: 0,0:10:02.13,0:10:03.33,Default,,0000,0000,0000,,That's it.
Dialogue: 0,0:10:03.33,0:10:11.27,Default,,0000,0000,0000,,And then Splunk status.
Dialogue: 0,0:10:11.27,0:10:13.50,Default,,0000,0000,0000,,That's it, Splunk is running.
Dialogue: 0,0:10:13.50,0:10:17.35,Default,,0000,0000,0000,,So my universal forwarder\Nis properly installed.
Dialogue: 0,0:10:17.35,0:10:20.88,Default,,0000,0000,0000,,As I was telling you that\Nall the configuration files
Dialogue: 0,0:10:20.88,0:10:22.05,Default,,0000,0000,0000,,are stored in etc.
Dialogue: 0,0:10:22.05,0:10:26.76,Default,,0000,0000,0000,,So let's quickly revisit\Nthe st. Go to system.
Dialogue: 0,0:10:26.76,0:10:30.39,Default,,0000,0000,0000,,
Dialogue: 0,0:10:30.39,0:10:34.91,Default,,0000,0000,0000,,Or maybe just list everything\Nhere and see all the--
Dialogue: 0,0:10:34.91,0:10:49.11,Default,,0000,0000,0000,,
Dialogue: 0,0:10:49.11,0:10:51.87,Default,,0000,0000,0000,,OK.
Dialogue: 0,0:10:51.87,0:10:54.58,Default,,0000,0000,0000,,All Splunk configuration\Nrelated files are here.
Dialogue: 0,0:10:54.58,0:11:00.13,Default,,0000,0000,0000,,And you can read instance\Nconfig, licenses.
Dialogue: 0,0:11:00.13,0:11:05.02,Default,,0000,0000,0000,,And even you can go\Nto system, 3D system.
Dialogue: 0,0:11:05.02,0:11:10.22,Default,,0000,0000,0000,,And you can look at\Nthe local, cd local.
Dialogue: 0,0:11:10.22,0:11:13.27,Default,,0000,0000,0000,,
Dialogue: 0,0:11:13.27,0:11:15.28,Default,,0000,0000,0000,,And here is your output config.
Dialogue: 0,0:11:15.28,0:11:18.92,Default,,0000,0000,0000,,Where this universal forwarder\Nwill send the config?
Dialogue: 0,0:11:18.92,0:11:20.51,Default,,0000,0000,0000,,What is the server\Nconfig look like?
Dialogue: 0,0:11:20.51,0:11:21.95,Default,,0000,0000,0000,,All those information are here.
Dialogue: 0,0:11:21.95,0:11:23.47,Default,,0000,0000,0000,,But again, as I\Nmentioned, I'm not
Dialogue: 0,0:11:23.47,0:11:25.99,Default,,0000,0000,0000,,going to go deep into this, OK?
Dialogue: 0,0:11:25.99,0:11:27.94,Default,,0000,0000,0000,,So this is up to you.
Dialogue: 0,0:11:27.94,0:11:29.44,Default,,0000,0000,0000,,Now, what we are\Ngoing to do, we are
Dialogue: 0,0:11:29.44,0:11:32.32,Default,,0000,0000,0000,,going to configure\Nthe forwarding rules.
Dialogue: 0,0:11:32.32,0:11:38.17,Default,,0000,0000,0000,,So again, we are going to go to\Nsplunk dot forwarder/bin here.
Dialogue: 0,0:11:38.17,0:11:42.91,Default,,0000,0000,0000,,And let's go back and look\Nat the configuration again.
Dialogue: 0,0:11:42.91,0:11:44.93,Default,,0000,0000,0000,,So this is for installation.
Dialogue: 0,0:11:44.93,0:11:47.28,Default,,0000,0000,0000,,Now, the rule setting, right?
Dialogue: 0,0:11:47.28,0:11:48.49,Default,,0000,0000,0000,,So what you are going to say?
Dialogue: 0,0:11:48.49,0:11:53.33,Default,,0000,0000,0000,,You are going to say\Nsudo/splunk add forward-server.
Dialogue: 0,0:11:53.33,0:11:56.99,Default,,0000,0000,0000,,And this is the Splunk\NEnterprise IP address, slash
Dialogue: 0,0:11:56.99,0:11:59.61,Default,,0000,0000,0000,,or colon add port.
Dialogue: 0,0:11:59.61,0:12:04.60,Default,,0000,0000,0000,,If you remember, we created\Na receiving port 9997.
Dialogue: 0,0:12:04.60,0:12:09.43,Default,,0000,0000,0000,,So put your Splunk Enterprise\NIP address colon port number.
Dialogue: 0,0:12:09.43,0:12:11.64,Default,,0000,0000,0000,,Make sure you have\Nthe networking
Dialogue: 0,0:12:11.64,0:12:16.78,Default,,0000,0000,0000,,or reachability between\Nforwarder and Enterprise server.
Dialogue: 0,0:12:16.78,0:12:19.03,Default,,0000,0000,0000,,And there is no firewall\Nblocking and other things.
Dialogue: 0,0:12:19.03,0:12:24.27,Default,,0000,0000,0000,,So this is how you will point\Nyour universal forwarder
Dialogue: 0,0:12:24.27,0:12:25.96,Default,,0000,0000,0000,,to the Splunk Enterprise server.
Dialogue: 0,0:12:25.96,0:12:27.04,Default,,0000,0000,0000,,Next, what you want to do?
Dialogue: 0,0:12:27.04,0:12:30.49,Default,,0000,0000,0000,,You want to monitor\Nthe data, right?
Dialogue: 0,0:12:30.49,0:12:33.88,Default,,0000,0000,0000,,The data thing, what you\Nwant to send to the server.
Dialogue: 0,0:12:33.88,0:12:37.50,Default,,0000,0000,0000,,And for that, we have to do\Nsplunk add monitor and then
Dialogue: 0,0:12:37.50,0:12:39.04,Default,,0000,0000,0000,,the file and location.
Dialogue: 0,0:12:39.04,0:12:45.42,Default,,0000,0000,0000,,So here, what I'm doing, I'm\Nsending my ASA logs, which
Dialogue: 0,0:12:45.42,0:12:47.37,Default,,0000,0000,0000,,is coming to the syslog server.
Dialogue: 0,0:12:47.37,0:12:52.96,Default,,0000,0000,0000,,At this folder, I'm going to\Nsend this to Splunk Enterprise.
Dialogue: 0,0:12:52.96,0:12:55.14,Default,,0000,0000,0000,,And when you\Nconfigure these rules,
Dialogue: 0,0:12:55.14,0:12:57.40,Default,,0000,0000,0000,,you may have to\Nrestart the Splunk.
Dialogue: 0,0:12:57.40,0:13:00.20,Default,,0000,0000,0000,,And to do that, you can\Njust say splunk restart.
Dialogue: 0,0:13:00.20,0:13:00.98,Default,,0000,0000,0000,,That's it.
Dialogue: 0,0:13:00.98,0:13:04.63,Default,,0000,0000,0000,,You can come back always and\Ncheck if your forwarder is
Dialogue: 0,0:13:04.63,0:13:05.78,Default,,0000,0000,0000,,active or no.
Dialogue: 0,0:13:05.78,0:13:09.67,Default,,0000,0000,0000,,And if something is wrong,\Nby using this command, OK?
Dialogue: 0,0:13:09.67,0:13:12.65,Default,,0000,0000,0000,,
Dialogue: 0,0:13:12.65,0:13:15.62,Default,,0000,0000,0000,,So now let's go back\Nand check our forwarder.
Dialogue: 0,0:13:15.62,0:13:26.90,Default,,0000,0000,0000,,
Dialogue: 0,0:13:26.90,0:13:27.40,Default,,0000,0000,0000,,Splunk.
Dialogue: 0,0:13:27.40,0:13:30.22,Default,,0000,0000,0000,,
Dialogue: 0,0:13:30.22,0:13:33.37,Default,,0000,0000,0000,,Let's look at the\Ncommand list forwarder.
Dialogue: 0,0:13:33.37,0:13:35.59,Default,,0000,0000,0000,,You can always do help.
Dialogue: 0,0:13:35.59,0:13:37.10,Default,,0000,0000,0000,,So we are going to say list--
Dialogue: 0,0:13:37.10,0:13:41.62,Default,,0000,0000,0000,,
Dialogue: 0,0:13:41.62,0:13:48.01,Default,,0000,0000,0000,,too bad it doesn't do\Na tab complete, but--
Dialogue: 0,0:13:48.01,0:13:50.05,Default,,0000,0000,0000,,your session is\Ninvalid, so you have
Dialogue: 0,0:13:50.05,0:13:53.04,Default,,0000,0000,0000,,to log in to your\Nuniversal forwarder, OK?
Dialogue: 0,0:13:53.04,0:13:54.70,Default,,0000,0000,0000,,So this is the log-in.
Dialogue: 0,0:13:54.70,0:13:56.20,Default,,0000,0000,0000,,Your username and\Npassword, you will
Dialogue: 0,0:13:56.20,0:13:59.93,Default,,0000,0000,0000,,create, while installing\Nthe universal forwarder, not
Dialogue: 0,0:13:59.93,0:14:03.71,Default,,0000,0000,0000,,your Enterprise Splunk\Nusername and password.
Dialogue: 0,0:14:03.71,0:14:07.64,Default,,0000,0000,0000,,But, for me, both are same.
Dialogue: 0,0:14:07.64,0:14:09.78,Default,,0000,0000,0000,,I re-use the username\Nand password.
Dialogue: 0,0:14:09.78,0:14:12.86,Default,,0000,0000,0000,,And here you can see, after\Nputting the credentials,
Dialogue: 0,0:14:12.86,0:14:15.38,Default,,0000,0000,0000,,I can see this is my\Nactive forwarder, what
Dialogue: 0,0:14:15.38,0:14:18.69,Default,,0000,0000,0000,,I configured using port number.
Dialogue: 0,0:14:18.69,0:14:22.23,Default,,0000,0000,0000,,And is there any\Ninactive forwarder?
Dialogue: 0,0:14:22.23,0:14:23.24,Default,,0000,0000,0000,,No.
Dialogue: 0,0:14:23.24,0:14:25.01,Default,,0000,0000,0000,,So we are good.
Dialogue: 0,0:14:25.01,0:14:27.57,Default,,0000,0000,0000,,So this is how you are going\Nto create the forwarder.
Dialogue: 0,0:14:27.57,0:14:31.49,Default,,0000,0000,0000,,And now let's validate if\Nthis data is showing up
Dialogue: 0,0:14:31.49,0:14:36.39,Default,,0000,0000,0000,,or if this forwarder is showing\Nup in Splunk Enterprise or not.
Dialogue: 0,0:14:36.39,0:14:39.24,Default,,0000,0000,0000,,And for that, what you can\Ndo, you can go to Dashboard.
Dialogue: 0,0:14:39.24,0:14:42.98,Default,,0000,0000,0000,,Your dashboard may be empty, OK?
Dialogue: 0,0:14:42.98,0:14:46.19,Default,,0000,0000,0000,,So what you can do, you\Ncan create a dashboard.
Dialogue: 0,0:14:46.19,0:14:48.86,Default,,0000,0000,0000,,
Dialogue: 0,0:14:48.86,0:14:51.08,Default,,0000,0000,0000,,OK.
Dialogue: 0,0:14:51.08,0:14:54.16,Default,,0000,0000,0000,,Let's go back to Search first.
Dialogue: 0,0:14:54.16,0:14:57.95,Default,,0000,0000,0000,,And here you can come\Nand say Data Summary.
Dialogue: 0,0:14:57.95,0:15:00.78,Default,,0000,0000,0000,,A quick way to test\Nyour data inputs
Dialogue: 0,0:15:00.78,0:15:04.35,Default,,0000,0000,0000,,are by setting--\Nclick on Data Summary.
Dialogue: 0,0:15:04.35,0:15:06.39,Default,,0000,0000,0000,,Once you click on\NData Summary, it
Dialogue: 0,0:15:06.39,0:15:08.58,Default,,0000,0000,0000,,is going to look\Nhow many hosts--
Dialogue: 0,0:15:08.58,0:15:12.90,Default,,0000,0000,0000,,that means forwarder-- is\Ntalking to this Enterprise
Dialogue: 0,0:15:12.90,0:15:13.78,Default,,0000,0000,0000,,server.
Dialogue: 0,0:15:13.78,0:15:16.53,Default,,0000,0000,0000,,And if you click on\Nthat, I have two.
Dialogue: 0,0:15:16.53,0:15:22.69,Default,,0000,0000,0000,,One, which is sending the 121,\Nwhich is sending [INAUDIBLE].
Dialogue: 0,0:15:22.69,0:15:27.55,Default,,0000,0000,0000,,And that is defined by\Nthis naming convention.
Dialogue: 0,0:15:27.55,0:15:29.47,Default,,0000,0000,0000,,And then another is Ubuntu Pi.
Dialogue: 0,0:15:29.47,0:15:34.50,Default,,0000,0000,0000,,So these two data are being\Nsent to Enterprise server.
Dialogue: 0,0:15:34.50,0:15:37.45,Default,,0000,0000,0000,,Sources, what source\Nwe are monitoring?
Dialogue: 0,0:15:37.45,0:15:40.11,Default,,0000,0000,0000,,All those things\Nare listed here.
Dialogue: 0,0:15:40.11,0:15:43.27,Default,,0000,0000,0000,,And source type,\Nit automatically
Dialogue: 0,0:15:43.27,0:15:47.19,Default,,0000,0000,0000,,tries to classify by reading\Nthe files by some existing rules
Dialogue: 0,0:15:47.19,0:15:49.00,Default,,0000,0000,0000,,and say these are\Nthe source type.
Dialogue: 0,0:15:49.00,0:15:53.17,Default,,0000,0000,0000,,There are various pre-built\Nsource type, like ASS.
Dialogue: 0,0:15:53.17,0:15:55.45,Default,,0000,0000,0000,,Not all those pre-built\Nsource type is there.
Dialogue: 0,0:15:55.45,0:15:59.99,Default,,0000,0000,0000,,You can also build a\Ncustom-built source type.
Dialogue: 0,0:15:59.99,0:16:04.32,Default,,0000,0000,0000,,So let's look at the host\Nand try to load this.
Dialogue: 0,0:16:04.32,0:16:10.10,Default,,0000,0000,0000,,So here, you can see\Nall my var/log/firewall,
Dialogue: 0,0:16:10.10,0:16:15.80,Default,,0000,0000,0000,,the place which we are\Nmonitoring on syslog-ng server.
Dialogue: 0,0:16:15.80,0:16:18.50,Default,,0000,0000,0000,,All these logs\Nstarted showing here.
Dialogue: 0,0:16:18.50,0:16:22.28,Default,,0000,0000,0000,,
Dialogue: 0,0:16:22.28,0:16:26.49,Default,,0000,0000,0000,,And based on these logs here, it\Nhas created some selected field.
Dialogue: 0,0:16:26.49,0:16:30.36,Default,,0000,0000,0000,,You can select those field\Nand create a new search query.
Dialogue: 0,0:16:30.36,0:16:33.08,Default,,0000,0000,0000,,Right now, it is just\Nsearching on the host name.
Dialogue: 0,0:16:33.08,0:16:37.55,Default,,0000,0000,0000,,And you can see all those events\Nnicely getting populated here.
Dialogue: 0,0:16:37.55,0:16:39.42,Default,,0000,0000,0000,,You can go back in timeline--
Dialogue: 0,0:16:39.42,0:16:42.80,Default,,0000,0000,0000,,24 hour, 30 minute, five minute.
Dialogue: 0,0:16:42.80,0:16:47.27,Default,,0000,0000,0000,,Everything you can see.
Dialogue: 0,0:16:47.27,0:16:49.62,Default,,0000,0000,0000,,You can create your\Nown search pattern,
Dialogue: 0,0:16:49.62,0:16:52.58,Default,,0000,0000,0000,,and you can also do\Nsome visualization.
Dialogue: 0,0:16:52.58,0:17:00.03,Default,,0000,0000,0000,,And at the same time, you\Ncan create a table view.
Dialogue: 0,0:17:00.03,0:17:05.53,Default,,0000,0000,0000,,So different ways of\Nvisualization, table format,
Dialogue: 0,0:17:05.53,0:17:07.36,Default,,0000,0000,0000,,bar chart format,\Nand all those things.
Dialogue: 0,0:17:07.36,0:17:09.84,Default,,0000,0000,0000,,But the nice, cool\Nthing about Splunk,
Dialogue: 0,0:17:09.84,0:17:13.53,Default,,0000,0000,0000,,which need a little\Nbit of education
Dialogue: 0,0:17:13.53,0:17:16.81,Default,,0000,0000,0000,,about Splunk Processing\NLanguage, SPL,
Dialogue: 0,0:17:16.81,0:17:19.59,Default,,0000,0000,0000,,so that you can\Nactually use these
Dialogue: 0,0:17:19.59,0:17:23.38,Default,,0000,0000,0000,,logs to create your search\Nquery or create a pattern,
Dialogue: 0,0:17:23.38,0:17:26.89,Default,,0000,0000,0000,,so that you can present these\Nlogs in a meaningful way.
Dialogue: 0,0:17:26.89,0:17:28.56,Default,,0000,0000,0000,,And that's the end goal, right?
Dialogue: 0,0:17:28.56,0:17:30.21,Default,,0000,0000,0000,,Right now, in today's\Nvideo, I'm just
Dialogue: 0,0:17:30.21,0:17:35.68,Default,,0000,0000,0000,,going to making you familiar\Nwith Splunk distributed model.
Dialogue: 0,0:17:35.68,0:17:36.85,Default,,0000,0000,0000,,What is universal forwarder?
Dialogue: 0,0:17:36.85,0:17:37.98,Default,,0000,0000,0000,,What is the Enterprise?
Dialogue: 0,0:17:37.98,0:17:41.02,Default,,0000,0000,0000,,And how you can\Nbring your logs here.
Dialogue: 0,0:17:41.02,0:17:46.05,Default,,0000,0000,0000,,But you can do much more\Nby learning a few tricks
Dialogue: 0,0:17:46.05,0:17:47.68,Default,,0000,0000,0000,,in SPL language.
Dialogue: 0,0:17:47.68,0:17:49.26,Default,,0000,0000,0000,,OK.
Dialogue: 0,0:17:49.26,0:17:50.65,Default,,0000,0000,0000,,What else I want to show you?
Dialogue: 0,0:17:50.65,0:17:52.92,Default,,0000,0000,0000,,I want to show you--
Dialogue: 0,0:17:52.92,0:17:57.48,Default,,0000,0000,0000,,if you go to the home\Npage, Splunk, here I
Dialogue: 0,0:17:57.48,0:17:59.66,Default,,0000,0000,0000,,created the forwarder instance.
Dialogue: 0,0:17:59.66,0:18:01.46,Default,,0000,0000,0000,,So it's a snapshot.
Dialogue: 0,0:18:01.46,0:18:04.27,Default,,0000,0000,0000,,When I come to the\Nhome page, it quickly
Dialogue: 0,0:18:04.27,0:18:08.62,Default,,0000,0000,0000,,gives me a snapshot\Nof my forwarders,
Dialogue: 0,0:18:08.62,0:18:10.45,Default,,0000,0000,0000,,which are the\Nforwarders available,
Dialogue: 0,0:18:10.45,0:18:13.28,Default,,0000,0000,0000,,and how their data\Npattern looks like.
Dialogue: 0,0:18:13.28,0:18:15.73,Default,,0000,0000,0000,,So, as I mentioned,\NI have two of them.
Dialogue: 0,0:18:15.73,0:18:18.14,Default,,0000,0000,0000,,And I can load them here.
Dialogue: 0,0:18:18.14,0:18:21.17,Default,,0000,0000,0000,,I can watch their data patterns.
Dialogue: 0,0:18:21.17,0:18:24.82,Default,,0000,0000,0000,,And I can also click\Non any of these
Dialogue: 0,0:18:24.82,0:18:27.89,Default,,0000,0000,0000,,and see who is my receiver.
Dialogue: 0,0:18:27.89,0:18:31.87,Default,,0000,0000,0000,,So this Windows machine\Nitself is a receiver.
Dialogue: 0,0:18:31.87,0:18:34.39,Default,,0000,0000,0000,,So this is a cool thing\Nto monitor your forwarder,
Dialogue: 0,0:18:34.39,0:18:37.96,Default,,0000,0000,0000,,if they are sending your\Ndata in the real-time or not.
Dialogue: 0,0:18:37.96,0:18:42.61,Default,,0000,0000,0000,,Finally, if you want to know\Nsomething about the Splunk
Dialogue: 0,0:18:42.61,0:18:46.43,Default,,0000,0000,0000,,utilization or the Enterprise\Nutilization itself,
Dialogue: 0,0:18:46.43,0:18:49.30,Default,,0000,0000,0000,,so what you can do, you can\Nalways go to Monitoring Console
Dialogue: 0,0:18:49.30,0:18:53.50,Default,,0000,0000,0000,,and see here how your\NEnterprise server is
Dialogue: 0,0:18:53.50,0:18:56.33,Default,,0000,0000,0000,,doing resource-wise right now.
Dialogue: 0,0:18:56.33,0:19:00.10,Default,,0000,0000,0000,,So basically, these are the\Nlicense usage, disk usage,
Dialogue: 0,0:19:00.10,0:19:03.88,Default,,0000,0000,0000,,CPU usage, and all those\Nthings for Enterprise server.
Dialogue: 0,0:19:03.88,0:19:07.29,Default,,0000,0000,0000,,That means how the server\Ninstance installation
Dialogue: 0,0:19:07.29,0:19:08.77,Default,,0000,0000,0000,,is doing health-wise.
Dialogue: 0,0:19:08.77,0:19:10.51,Default,,0000,0000,0000,,Is there any memory pressure?
Dialogue: 0,0:19:10.51,0:19:12.48,Default,,0000,0000,0000,,Is there any CPU pressure?
Dialogue: 0,0:19:12.48,0:19:17.97,Default,,0000,0000,0000,,Are we hitting any license or\Ndisk or throughput indexing rate
Dialogue: 0,0:19:17.97,0:19:18.88,Default,,0000,0000,0000,,threshold?
Dialogue: 0,0:19:18.88,0:19:21.87,Default,,0000,0000,0000,,All those things, you\Ncan manage from here.
Dialogue: 0,0:19:21.87,0:19:22.45,Default,,0000,0000,0000,,All right.
Dialogue: 0,0:19:22.45,0:19:25.89,Default,,0000,0000,0000,,But mostly, why you come\Nhere, if you are not a Splunk
Dialogue: 0,0:19:25.89,0:19:27.30,Default,,0000,0000,0000,,administrator,\Nyou will come here
Dialogue: 0,0:19:27.30,0:19:29.98,Default,,0000,0000,0000,,to parse log for\Nyour application.
Dialogue: 0,0:19:29.98,0:19:33.99,Default,,0000,0000,0000,,And for that, mostly, you\Nwant to create some search
Dialogue: 0,0:19:33.99,0:19:37.83,Default,,0000,0000,0000,,and reporting, create\Nsome cool search indexes,
Dialogue: 0,0:19:37.83,0:19:44.26,Default,,0000,0000,0000,,so that you can find a\Nneedle in a haystack.
Dialogue: 0,0:19:44.26,0:19:48.12,Default,,0000,0000,0000,,So with that, I'm going\Nto stop this video.
Dialogue: 0,0:19:48.12,0:19:51.36,Default,,0000,0000,0000,,And I'll continue\Nlearning Splunk.
Dialogue: 0,0:19:51.36,0:19:53.83,Default,,0000,0000,0000,,And I hope you will find\Nit interesting also.
Dialogue: 0,0:19:53.83,0:19:55.39,Default,,0000,0000,0000,,So let's continue this journey.
Dialogue: 0,0:19:55.39,0:19:57.20,Default,,0000,0000,0000,,Thank you.
Dialogue: 0,0:19:57.20,0:19:59.00,Default,,0000,0000,0000,,