Search
  • Todd Waller

Splunking Your RaspberryPi

Hello Everyone Welcome back! This weeks post is going to be on how to Splunk data from your RaspberryPi.


I'm going to keep it pretty basic but will give you enough to get things flowing and then you can build on what you have done.


First things first: Install Splunk on a laptop or desktop. Next login with the admin credentials you created. (not my first time logging in)


Next go and change your admin password, if you haven't done it already


Next add your license for data that will be coming in


Now you want to add a port listener for the data that will be sent to your indexer(mine is a standalone instance)


Now go to your RaspberryPi and download the Universal Forwarder ARM version



I prefer wget so once you accept the agreement you can copy the wget command


Now you can install the Universal forwarder on your RaspberryPi

NOTE: these are not best practices, simply a quick start to show you how to get you Pi data into Splunk



Next accept the license and run Splunk


Now we need to add something to monitor. What I did was using Splunks *nix app for monitoring Unix data I took out the vmstat.sh file and the accompanying common.sh file and added them to the scripts path in /opt/splunkforwarder/bin/scripts path. You can download the app from Splunk if you'd like and use any portion to monitor your Pi system.


Here's what the script outputs



Now add your inputs.conf to run the script


and next the ouputs.conf to configure sending to the indexer(edited out my IP)


And restart the Universal Forwarder and go search your new data!


Make sure you are allowing Inbound communication through your firewall on port 9997 or whatever port you configured the forwarder to send data to on the indexer. You will have issues if the firewall is blocking.


Again, I DIDN'T use best practices, normally you'd want the configs in an app, scripts in the app/bin path, props and other configs setup to do extractions and timestampping etc. and not sending to the "main" index. For the sake of saving time I didn't do that, this is just for demonstration purposes.


Build on what I've shown you here. Have fun!


Todd

149 views0 comments

Recent Posts

See All

Do you need to dedup when using stats?

I had to do some casual counting of sourcetypes today. In the process I was trying to decide if I needed to dedup before going to stats. It seemed to me a dedup would, in theory, pass less data to sta

How do I learn Splunk administration?

Had an old coworker hit me up a week ago. He took a job as a SOC analyst where part of his job is going to be supporting Splunk. He's a smart guy but Splunk is more complex than it looks. Given I've a