You get a good bit of license usage trends when you install the Deployment Monitor and Splunk on Splunk applications. Or if you don’t use those apps, data in the _internal index ages out over time and you lose your trends beyond approximately 30 days.
I prefer to setup my own index and collect the summarized usage data into it so I can keep it indefinitely and do easy graphs on the data in my daily admin dashboard. This is also handy on a Splunk instance where you do not have the CPU cores to spare for Deployment Monitor to be running a lot of scheduled searches. Such as your admin laptop instance.
Lastly, you may need this data over the long term so you can justify more Splunk license in your next budget as you get close to averaging at your license limit.
Continue reading “Splunk Setting up License Usage Trending”
I am often asked how to start looking at Splunk when someone gets interested. This is the same thing I do for myself.
- Get the latest build of Splunk and install it on a machine you can test with. Usually this is your daily use laptop or desktop.
- Consider your license options. Splunk licensing is based on how much data per day you index into Splunk for searching. The free license will let you index up to 500MB per day. One thing many Splunk administrators do is to get a development license for their personal workstation. This will let you index up to 10GB per day and unlock all the enterprise features. This is great for prototyping and testing your parsing, apps etc on your workstation before moving it to your production system.
- Change your default admin password on Splunk once you login for the first time. The last thing you want is to be in a coffee shop and have someone poking into data you have indexed into Splunk that you might not want to share.
- Change the web interface to use https. Sure it is the default Splunk SSL certificate but it is better than no encryption at all. Just enable it under Settings->System Settings->General Settings
If you do not end up using a development license or your demo license runs out be sure to firewall Splunk from being accessed outside your local machine. Reference back to my someone in a coffee shop digging through your data comment.
Continue reading “Getting started with Splunk and my favorite starter applications.”
I was pointed at a great blog post on Hardening SSL Settings by Hyneck Schlawack to mitigate a number of attacks against SSL and then to evaluate it against the Qualys SSL Labs.
So I set out to figure out how much of the advice I could incorporate into Splunk SSL settings. I found that because Splunk uses CherryPy for the web server. That meant disabling server side SSL compression was problematic and I still have not solved that part. We need this to help mitigate the recently covered “Breach” and the old “Crime SSL” attack. Still I was able to adjust things to mitigate Beast and greatly improve the score given by the Qualys tool. Granted there are blog posts out there on setting up apache as the web front end and relaying traffic through to Splunk’s CherryPy. That would give us the controls we need. However, I like to write stuff up for now as Splunk vanilla doing it just with what is available in their install.
We will need to edit the web.conf file for Splunk. We can just take the recommended cipher list from Hyneck’s post. It addresses the Beast attack by eliminating CBC based ciphers from the available list to spunkWeb. We force SSLv3 only. And of course we have SSL enabled on the web interface.
One thing to note is that although we include the better newer ciphers in the list they will do nothing for us until openssl in Splunk is upgraded in a patch to support TLS 1.2. Right now it still only supports TLS 1.0. We put the list in and when the update covers it the newer ciphers should just start working.
Add the following stanza then bounce your Splunk service:
enableSplunkWebSSL = 1
supportSSLV3Only = true
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
I have been working on learning Python lately. One of the best ways to learn is to pick small goals and achieve them.
The laundry room of my apartment building uses a service called Laundryview.com to let people see the status of the washer and dryer units including time remaining. I have my raspberrypi handy. So I set out to put together a python script to scrape the machine status every fifteen minutes and push the data into splunkstorm.com. This is so I can actually trend the machine usage to determine what days of the week and times are most available. Plus I wanted to see if I could do something new. Below is a sample graph from splunkstorm showing the in use pattern for the washing machines.
If you want to see the python script just click more. Warning it is down and dirty. I could have made things more elegant but it works and I have not had time to polish it up. You will see I use lxml to parse the mobile version of the site for the machine status from a table.
Continue reading “Splunking the Laundry”