Welcome to SDN TechForum. So let's continue from our earlier video, ASA Essential. And in ASA Essential, we did essential configuration, like SSH, SNMP, NetFlow, SPAN, syslog, and packet tracer. So now, what happened, this ASA is sending all the logs to a syslog server. And in this video, we are going to start a new topic. And that topic is Fun with Splunk. So you may be thinking like, am I watching old video? No, we'll continue from there and continue building up what we did so far. OK. Fun with Splunk, as you can see. What we are going to do, as a side note, I'm going to show you how to configure a syslog-ng server on Ubuntu, with a Raspberry Pi on laptop. And then we will start with Splunk. So what I'm going to do, I'm going to install the Splunk server. I'm going to use a free trial version. I'll install it on a Windows machine. All right. Then we will have a Splunk universal forwarder, which is a small CPU. I mean, it's not very resource-intensive. It's a lightweight agent setting on the places where you have the data, the data which you want to input to the Splunk server so that you can index it, crunch it, and visualize it. So this universal forwarders, they will be sitting on the sources where we have our data storage, and which is generally a Linux machine or Windows. Then I'll show you how to input data from forwarder-- so what rules you need to create. And then, finally, we'll come back to the Splunk Dashboard again and see if we can manage the forwarder status. And also, we can crunch that data, index that data, search that data, all those things. So this is not going to be very Splunk-intensive video, but a lightweight good for you to get started. And at the same time, finally, I'll give you some forwarder troubleshooting tips because, many times, forwarders, once you set up the channel, after some time, you may see that forwarder is not sending data. So how to troubleshoot that, I'll show you that. OK. So quickly, let's first review the syslog-ng server configuration requirement. So this is for a Linux Ubuntu machine. So what you have to do, you have to get apt-get install syslog-ng. And then, basically, that will install the syslog-ng server and then validate if it is listening to port number 514. You can also watch validate the status by using sudo services status syslog-ng. So syslog-ng is started. It's listening on port number 514. Now what we have to do? We already did that. Actually, ASA is sending syslogs to port number 514 or to this server, all right? So I'll show you that. And then we will talk about how to do in universal forwarder config. But let's first validate syslog-ng server. So this is our ASA. Mind it, this is going to be a little demo-intensive video. So please try to follow along with me. So as you can see, ASA is sending this logs to 192.168.1.22. And that is our Ubuntu server. All right, I'm going to show you that IP address. IP address is 192.1 in this. And let's do netstat grep 514. So you can see, this is already listening on port number 514 for TCP/UDP and receiving all the syslog details, OK? Now, it is our turn to install Splunk forwarder. Before we do Splunk forwarding, let's go to the Splunk website, all right? So here I am on Splunk website, and I want free Splunk. So I created an account here and downloaded the Splunk Enterprise software, OK? Not the cloud one, the Splunk 8.5, which is the current software. You can say Free Splunk, and you can download. I already downloaded it, so I'm not going to download it again. As you can see, this is a 60-day free trial for Splunk Enterprise. This is what I downloaded and installed on a Windows machine, OK? So here is your main Splunk dashboard. What we are going to do, we are going to do a couple of things. First is we are going to make this server listen for data stream, right? Multiple ways, you can add data. Like here, if you click on Add Data, there are multiple options. I'm going to skip the tour. You can do networking, you can do OS, and upload. You can actually upload the data. So if you have a compressed file, CSV file, you can actually upload it. But that's not very scalable way. We want our data to be continuously sent as a stream, and then Splunk to do all those indexing so that we can run our searches. So for that, what you have to do, you have to prepare your Splunk to listen on certain ports. And that is called receiving here, OK? Forwarding and receiving-- configure receiving, OK? We don't want to configure forwarding here because we will be using forwarding agents. Only thing is, I want this Splunk server to listen on certain port. And that is port number triple 97, 9997. And that's the default port for Splunk. So I kept it default. OK, that's all you want to do here. Now, since this server is listening on the designated port, so now it is our turn to configure the universal forwarder. And for that, what do you have to do? You have to download the forwarder, OK? And I'll show you from where to download the forwarder. So you can do sudo wget and the wget IP on this part so that it will get downloaded to your machine. And then what you can do is you can copy that forwarder, what you downloaded, to a third-party directory or a third-party software directory, which is /opt cd plus cp. And then whatever you downloaded, copy it to /opt. Then go to that directory, sudo/opt, and do a sudo D package, which is like a package manager for Ubuntu. And this is what you have to do. You may need ins curl because it is running some background curl checks. So make sure you have the curl utility installed. And if not, then you have to do dpkg-reconfigure again, OK? Once you do that, it will install the software. Now, finally, what you can do, when you do a list of directories, you can see there is a directory created called splunkforwarder. Go to splunkforwarder there. Under that, go to bin directory. And that is the directory where you can start, stop, or restart your Splunk instance, universal forwarder instance. So we are going to go to cd bin and say sudo splunk start. And make sure you accept the license from command line, like this. Otherwise, you will have to read the entire license by pressing Page Up and Page Down. And, finally, you can validate the Splunk status check. All right. So I'm going to show you all this on the forwarder itself. So let's go. As you can see, I downloaded this forwarder here and then parked it to opt. And here you can see Splunk forwarder is there. Under Splunk forwarder, we have lot of directories, right? All the local configuration-related things are stored in etc, just like any Ubuntu Linux system. But this is only for Splunk-related files, all right? But right now, we are interested in checking the status. So what you can do, you can just go to bin directory and then do a sudo. So Splunk status. When you install, it will ask you to create a username and password. And that's the-- but this is the sudo username, password. OK, Splunk command not found. OK, pwd/bin. I am not in the correct file, OK? That is the reason. So let me start over. I'm going to say cd/opt/splunkforwarder bin. That's it. And then Splunk status. That's it, Splunk is running. So my universal forwarder is properly installed. As I was telling you that all the configuration files are stored in etc. So let's quickly revisit the st. Go to system. Or maybe just list everything here and see all the-- OK. All Splunk configuration related files are here. And you can read instance config, licenses. And even you can go to system, 3D system. And you can look at the local, cd local. And here is your output config. Where this universal forwarder will send the config? What is the server config look like? All those information are here. But again, as I mentioned, I'm not going to go deep into this, OK? So this is up to you. Now, what we are going to do, we are going to configure the forwarding rules. So again, we are going to go to splunk dot forwarder/bin here. And let's go back and look at the configuration again. So this is for installation. Now, the rule setting, right? So what you are going to say? You are going to say sudo/splunk add forward-server. And this is the Splunk Enterprise IP address, slash or colon add port. If you remember, we created a receiving port 9997. So put your Splunk Enterprise IP address colon port number. Make sure you have the networking or reachability between forwarder and Enterprise server. And there is no firewall blocking and other things. So this is how you will point your universal forwarder to the Splunk Enterprise server. Next, what you want to do? You want to monitor the data, right? The data thing, what you want to send to the server. And for that, we have to do splunk add monitor and then the file and location. So here, what I'm doing, I'm sending my ASA logs, which is coming to the syslog server. At this folder, I'm going to send this to Splunk Enterprise. And when you configure these rules, you may have to restart the Splunk. And to do that, you can just say splunk restart. That's it. You can come back always and check if your forwarder is active or no. And if something is wrong, by using this command, OK? So now let's go back and check our forwarder. Splunk. Let's look at the command list forwarder. You can always do help. So we are going to say list-- too bad it doesn't do a tab complete, but-- your session is invalid, so you have to log in to your universal forwarder, OK? So this is the log-in. Your username and password, you will create, while installing the universal forwarder, not your Enterprise Splunk username and password. But, for me, both are same. I re-use the username and password. And here you can see, after putting the credentials, I can see this is my active forwarder, what I configured using port number. And is there any inactive forwarder? No. So we are good. So this is how you are going to create the forwarder. And now let's validate if this data is showing up or if this forwarder is showing up in Splunk Enterprise or not. And for that, what you can do, you can go to Dashboard. Your dashboard may be empty, OK? So what you can do, you can create a dashboard. OK. Let's go back to Search first. And here you can come and say Data Summary. A quick way to test your data inputs are by setting-- click on Data Summary. Once you click on Data Summary, it is going to look how many hosts-- that means forwarder-- is talking to this Enterprise server. And if you click on that, I have two. One, which is sending the 121, which is sending [INAUDIBLE]. And that is defined by this naming convention. And then another is Ubuntu Pi. So these two data are being sent to Enterprise server. Sources, what source we are monitoring? All those things are listed here. And source type, it automatically tries to classify by reading the files by some existing rules and say these are the source type. There are various pre-built source type, like ASS. Not all those pre-built source type is there. You can also build a custom-built source type. So let's look at the host and try to load this. So here, you can see all my var/log/firewall, the place which we are monitoring on syslog-ng server. All these logs started showing here. And based on these logs here, it has created some selected field. You can select those field and create a new search query. Right now, it is just searching on the host name. And you can see all those events nicely getting populated here. You can go back in timeline-- 24 hour, 30 minute, five minute. Everything you can see. You can create your own search pattern, and you can also do some visualization. And at the same time, you can create a table view. So different ways of visualization, table format, bar chart format, and all those things. But the nice, cool thing about Splunk, which need a little bit of education about Splunk Processing Language, SPL, so that you can actually use these logs to create your search query or create a pattern, so that you can present these logs in a meaningful way. And that's the end goal, right? Right now, in today's video, I'm just going to making you familiar with Splunk distributed model. What is universal forwarder? What is the Enterprise? And how you can bring your logs here. But you can do much more by learning a few tricks in SPL language. OK. What else I want to show you? I want to show you-- if you go to the home page, Splunk, here I created the forwarder instance. So it's a snapshot. When I come to the home page, it quickly gives me a snapshot of my forwarders, which are the forwarders available, and how their data pattern looks like. So, as I mentioned, I have two of them. And I can load them here. I can watch their data patterns. And I can also click on any of these and see who is my receiver. So this Windows machine itself is a receiver. So this is a cool thing to monitor your forwarder, if they are sending your data in the real-time or not. Finally, if you want to know something about the Splunk utilization or the Enterprise utilization itself, so what you can do, you can always go to Monitoring Console and see here how your Enterprise server is doing resource-wise right now. So basically, these are the license usage, disk usage, CPU usage, and all those things for Enterprise server. That means how the server instance installation is doing health-wise. Is there any memory pressure? Is there any CPU pressure? Are we hitting any license or disk or throughput indexing rate threshold? All those things, you can manage from here. All right. But mostly, why you come here, if you are not a Splunk administrator, you will come here to parse log for your application. And for that, mostly, you want to create some search and reporting, create some cool search indexes, so that you can find a needle in a haystack. So with that, I'm going to stop this video. And I'll continue learning Splunk. And I hope you will find it interesting also. So let's continue this journey. Thank you.