From 4cb0e763628ec4f65df397ebcbdc3fe1fc390a6c Mon Sep 17 00:00:00 2001 From: nandinivij <61885842+nandinivij@users.noreply.github.com> Date: Fri, 10 Jul 2020 12:38:11 -0700 Subject: [PATCH] [doc] Quickstart_guide.md added (#559) * quickstart guide * Added to navigation * Added O.S version Co-authored-by: mbonsack --- docs/gettingstarted/quickstart_guide.md | 87 +++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 88 insertions(+) create mode 100644 docs/gettingstarted/quickstart_guide.md diff --git a/docs/gettingstarted/quickstart_guide.md b/docs/gettingstarted/quickstart_guide.md new file mode 100644 index 0000000..58ae42d --- /dev/null +++ b/docs/gettingstarted/quickstart_guide.md @@ -0,0 +1,87 @@ +# Quickstart Guide + +### Splunk setup +- Create the following default indexes that are used by SC4S + * email + * epav + * netauth + * netdlp + * netdns + * netfw + * netids + * netops + * netwaf + * netproxy + * netipam + * oswinsec + * osnix + * em_metrics (Optional opt-in for SC4S operational metrics; ensure this is created as a metrics index) + + * Create a HEC token for SC4S. When filling out the form for the token, it is recommended that the “Selected Indexes” pane be left blank and that a + `lastChanceIndex` be created so that all data received by SC4S will land somewhere in Splunk. + +### SC4S setup(using RHEL 7.6) +* Set the host OS kernel to match the default receive buffer of sc4s which is set to 16MB + * Add following to /etc/sysctl.conf + ``` + net.core.rmem_default = 1703936 + net.core.rmem_max = 1703936 + ``` + * apply to the kernel\ + ``` sysctl -p``` +* Ensure the kernel is not dropping packets\ + ```netstat -su | grep "receive errors"``` + + * Install conntrack (RHEL 7/8 with podman only)\ + ``` install conntrack``` + + * Create the systemd unit file `/lib/systemd/system/sc4s.service`. Copy and paste from the +[SC4S sample unit file](https://splunk-connect-for-syslog.readthedocs.io/en/master/gettingstarted/podman-systemd-general/#initial-setup +). + +* Install podman or docker + ``` + sudo yum -y install podman + or + sudo yum install docker-engine -y + ``` + +* Create a local volume that will contain the disk buffer files and other SC4S state files + ``` + sudo podman volume create splunk-sc4s-var + or + sudo docker volume create splunk-sc4s-var + ``` +* Create directories used as a mount point for local overrides and configurations + ``` + mkdir /opt/sc4s/local + mkdir /opt/sc4s/archive + mkdir /opt/sc4s/tls + ``` +* Create the environment file `/opt/sc4s/env_file` and replace the HEC_URL and HEC_TOKEN as appropriate + ``` + SPLUNK_HEC_URL= + SPLUNK_HEC_TOKEN= + #Uncomment the following line if using untrusted SSL certificates + #SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no + ``` +* Configure SC4S for systemd and start SC4S + ``` + sudo systemctl daemon-reload + sudo systemctl enable sc4s + sudo systemctl start sc4s + ``` +* Check podman/docker logs for errors + ``` + sudo podman logs SC4S + or + sudo docker logs SC4S + ``` +* Search on Splunk for successful installation of SC4S + ``` + index=* sourcetype=sc4s:events "starting up" + ``` +* Send sample data to default udp port 514 of SC4S host + ``` + echo “Hello SC4S” > /dev/udp//514 + ``` diff --git a/mkdocs.yml b/mkdocs.yml index d36a804..b9909a1 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -9,6 +9,7 @@ nav: - "Docker CE + Swarm": "gettingstarted/docker-swarm-general.md" - "Docker CE + Swarm RHEL 7.7": "gettingstarted/docker-swarm-rhel7.md" - "Bring your own Envionment": "gettingstarted/byoe-rhel7.md" + - "Quickstart Guide": "gettingstarted/quickstart_guide.md" - Configuration: "configuration.md" - Development: "developing/index.md" - Sources: