Splunking Your RaspberryPi
- Todd Waller
- Mar 8, 2019
- 2 min read
Hello Everyone Welcome back! This weeks post is going to be on how to Splunk data from your RaspberryPi.
I'm going to keep it pretty basic but will give you enough to get things flowing and then you can build on what you have done.
First things first:
Install Splunk on a laptop or desktop. Next login with the admin credentials you created. (not my first time logging in)
Next go and change your admin password, if you haven't done it already
Next add your license for data that will be coming in
Now you want to add a port listener for the data that will be sent to your indexer(mine is a standalone instance)
Now go to your RaspberryPi and download the Universal Forwarder ARM version
I prefer wget so once you accept the agreement you can copy the wget command
Now you can install the Universal forwarder on your RaspberryPi
NOTE: these are not best practices, simply a quick start to show you how to get you Pi data into Splunk
Next accept the license and run Splunk
Now we need to add something to monitor. What I did was using Splunks *nix app for monitoring Unix data I took out the vmstat.sh file and the accompanying common.sh file and added them to the scripts path in /opt/splunkforwarder/bin/scripts path. You can download the app from Splunk if you'd like and use any portion to monitor your Pi system.
Here's what the script outputs
Now add your inputs.conf to run the script
and next the ouputs.conf to configure sending to the indexer(edited out my IP)
And restart the Universal Forwarder and go search your new data!
Make sure you are allowing Inbound communication through your firewall on port 9997 or whatever port you configured the forwarder to send data to on the indexer. You will have issues if the firewall is blocking.
Again, I DIDN'T use best practices, normally you'd want the configs in an app, scripts in the app/bin path, props and other configs setup to do extractions and timestampping etc. and not sending to the "main" index. For the sake of saving time I didn't do that, this is just for demonstration purposes.
Build on what I've shown you here. Have fun!
Todd
hi todd, thanks for sharing this.
what raspi distribution and h/w did you use?
i'm looking to implement a syslog server on pi and forward it into enterprise splunk ; any idea whether raspi 4 would work with standard raspi os?