ICO wiki - User contributions [en]

Operating systems 2016

2017-07-09T10:34:56Z

Itaal:

=Operating systems subject related info=

Lecturer:

Katrin Loodus (katrin.loodus@itcollege.ee)

Room 516 (5th floor), phone (6285) 834

All subject related infotmation will be put up on Wiki page, due to the possibility to have access to the materials even after the subject has concluded. Materials, such as tests, lectures and links to additional materials, will remain available throughout the subject teaching period.

=Aim of this course=

The aim of this course is to introduce the basics of operating systems and IT system life cycle from the viewpoint of the IT system administrator of operating systems. This subject provides hands-on skills needed to complete other field specific subjects in the curriculum.

Lectures give a theoretical background and the labs give hands-on skills on the same topic using Ubuntu Linux Server.

'''This subject is oriented on hands-on practical assignments to compliment the theoretical side of the subject.'''

Learning outcome 1:

A student who has completed the subject is able to perform the most common administrative tasks (user management, software management, disk usage, process management) in at least one of the most popular operating system on a server.

Learning outcome 2:

A student who has completed the subject understands and is able to explain orally the basic concepts of operating systems and its security aspects.

Learning outcome 3:

The student is able to document an operating system's service from an IT systems administrator's viewpoint.

=Deadlines for assignments 2016=

'''03.04.2016''' - Submission of wiki article's topic (Sending an e-mail with the chosen topic is mandatory!)

'''08.05.2016 23:59''' - Submission of wiki article and sending an e-mail to the lecturer in order to get it graded

'''10.05.2016''' - Pre practical test for students, who have done all of their labs

'''23.05.2016''' - Last option to defend lab work (Lab1 and/or Lab2)

'''24.05.2016''' - Practical test

'''09.06.2016 at 09:00''' - Both practical and oral exams are in room 319

All dates are inclusive.

=(Occasional) Homework=

==Week 0 & 1==

Get familiar with the Unix command line by trying out this Codeacadamy [https://www.codecademy.com/learn/learn-the-command-line short course].

==Week 11==


This homework is voluntary! 

Please test these online courses (especially user management) in https://rangeforce.com environment and send the lecturer feedback you feel you would like to share. It can be about the content, the environment, spelling, storyline etc.

The promo code to get access to the courses is '''EIK2016'''.

Please send the feedback to my e-mail address: '''kloodus@itcollege.ee'''

Thank you!

==Reading materials==

[http://www.tecmint.com/10-useful-free-linux-ebooks-for-newbies-and-administrators/ 10 Free Linux Administration e-books]

=Timetable for lectures 2016=

Public chat for any subject related questions that were left unasked during the lecture: https://chatlink.com/#osadmin_ITKolledz


Link to lecture and lab captures: [https://echo360.e-ope.ee/ess/portal/section/d38715c3-2cc6-43ee-bc1c-818df79d0b41 Go to captures]

==Lecture 0==
February 09th 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture00%20-%20Introduction%20-%202016.odp Lecture 0 - Introduction to subject (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture00%20-%20Introduction%20-%202016.pdf (PDF) ]

[http://enos.itcollege.ee/~kloodus/opsys/test_answers_spring2016.txt Test answers].

==Lecture 1==

February 12th 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture01%20-%20OS%20introduction.odp Lecture 1 - Operating systems introduction (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture01%20-%20OS%20introduction.pdf (PDF) ]

* Lecture will be on the February 12th at 8:15 in room 219

* Practice will be on the same day at 10:00 in room 410

 Homereading materials:

[https://www.youtube.com/playlist?list=PLmbPuZ0NsyGS8ef6zaHd2qYylzsHxL63x Introduction to operating systems (videos)]

[https://en.wikipedia.org/wiki/Operating_system Operating systems (wikipedia article)]

==Lecture 2==

February 16th 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture02%20-%20user%20management.odp Lecture 2 - User management (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture02%20-%20user%20management.pdf (PDF) ]

==Lecture 3==

February 23rd 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture03%20-%20managing%20files%20-%202016.odp Lecture 3 - File permissions (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture03%20-%20managing%20files%20-%202016.pdf (PDF)]

==Lecture 4==
March 1st 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture04%20-%20user%20environment%20and%20processes%20-%202016.odp Lecture 4 - User environment and processes (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture04%20-%20user%20environment%20and%20processes%20-%202016.pdf (PDF)]

==Lecture 5==

March 8th 2016 Lecture 5 - [http://enos.itcollege.ee/~kloodus/opsys/lecture05%20-%20FHS%20and%20links%20-%202016.odp Filesystem Hierarchy (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture05%20-%20FHS%20and%20links%20-%202016.pdf (PDF)]

==Lecture 6==

March 15th 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture06%20-%20Software%20management%20-%202016.odp Lecture 6 - Software management (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture06%20-%20Software%20management%20-%202016.pdf (PDF)]

==Lecture 7==

March 22nd 2016 - [http://enos.itcollege.ee/~kloodus/opsys/lecture07%20-%20Documentation%20-%202016.odp Lecture 7 - Documentation (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture07%20-%20Documentation%20-%202016.pdf (PDF)]

==Lecture 8==

April 5th 2016 - [http://enos.itcollege.ee/~kloodus/opsys/lecture08%20-%20Security%20session%20-%202016.odp Lecture 8 - Security session (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture08%20-%20Security%20session%20-%202016.pdf (PDF)]

==Lecture 9==

April 12th 2016 - No lecture nor labs - Lecturer is away

Substitute lecture and lab time will be announced later

==Lecture 10==

April 19th 2016 - [http://enos.itcollege.ee/~kloodus/opsys/lecture10%20-%20Disks%20and%20Swap%20-%202016.odp Lecture 10 - Disks, partitions and swap area (Open Document)] [http://enos.itcollege.ee/~kloodus/opsys/lecture10%20-%20Disks%20and%20Swap%20-%202016.pdf (PDF)]

==Lecture 11==

April 26th 2016 - [http://enos.itcollege.ee/~kloodus/opsys/lecture11%20-%20RAID,LVM,SAN,NAS%20-%202016.odp Lecture 11 - RAID; LVM, SAN and NAS technologies (Open Document)] [http://enos.itcollege.ee/~kloodus/opsys/lecture11%20-%20RAID,LVM,SAN,NAS%20-%202016.pdf (PDF)]

==Lecture 12==
May 3rd 2016 - [http://enos.itcollege.ee/~kloodus/opsys/lecture12%20-%20DAS,SAN,NAS,CAS-%202016.odp Lecture 12 - DAS, SAN, NAS and CAS (group work) technologies (cont.) (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture12%20-%20DAS,SAN,NAS,CAS-%202016.pdf (PDF)]

[[http://www.slideshare.net/pranayakumar1986/network-storage Additional reading materials]]

==Lecture 13==

May 10th 2016 - [http://enos.itcollege.ee/~kloodus/opsys/lecture13%20-%20Backup%20and%20Recovery%20-%202016.odp Lecture 13 - Backup and recovery (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture13%20-%20Backup%20and%20Recovery%20-%202016.pdf (PDF)]

==Lecture 14 and Lecture 9==

May '''17th''' 2016 - Lecture 14 - Miscellaneous topics (will be held in a computer class 319)

May '''19th 2016 at 10:00 in room 320''' - [http://enos.itcollege.ee/~kloodus/opsys/lecture15%20-%20Monitoring%20-%202016.odp Lecture 9 - Monitoring (substitute lecture) (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture15%20-%20Monitoring%20-%202016.pdf (PDF)]

==Lecture 15==
May 24th 2016 - Lecture 15 - working in IT - merits and demerits

We will not have a lecture in the ordinary sense, instead we'll have a seminar or discussion on important aspects of working in IT. The ethical, social and personal aspects of it. Terms like "imposter syndrome", burnout, teamwork and better work environment will be some of the topics covered. Life is not only technical competence, it's a lot about human interaction as well.

=Lab works=

==Lab 0==

Installing Ubuntu Server 14.04.3 LTS

'''Introduction to Unix command line''' (cd, ls, cat, full path, relative path etc)

==Lab 1==

3 points - '''Managing users''' (adduser, addgroup, passwd, /etc/passwd, /etc/shadow)

1) Create a user noodle

2) Add a new group food and add a the user noodle to a group called food.

3) Divert the user noodle's password hash via cowsay to a file called cownoodle.txt.

4) Lock the user noodle and be ready to show me the indication of the user being locked.

5) Change the user's current home directory into /home/unknown so that the files will also be moved to the new location.

5 points - '''Managing files''' (mkdir, cp, mv, rm, touch, nano, less, chmod, chown, rwx, 644 etc)

1) Create a folder march in root user directory and for every march day a subfolder with a name day1, day2, day3 … day31. (Example: /root/march/day1 or /root/march/day2 etc)

2) Modify the march folder owner so that it will be student and the new group audio.

3) Modify the march folder's and its subfolders so that the user can do anything, group can do ls in the folder and cd into it and others can't do anything with it.

4) Create a hard link called network to a file /etc/network/interfaces

5) Copy /var/log directory into march folder so that the timestamp and user info will be preserved.

4 points - '''Processes and environment variables''' (kill, using directing input/output/error: |, <, >, >>; env, PATH, HOME etc)

1) Divert the list with the student user's groups via cowsay into a fail studgroup.txt.

2) Create a environment variable called MYHOME that has the value of the system's HOME environment variable. (Hint: you have tu use variable symbol here!)

3) Send 2 htop's to the background and be ready to present how you send a kill signal to the first htop by job number and term signal to the second htop by a process number.

4) Create an alias called bye that logs you out of the terminal. Make this alias permanent.

5) Execute a programm called espdiff and diver the standardoutput to a file called okay.txt and the standard error to a file called notokay.txt.

3 points - '''Managing software''' (installation, updating, deleting, apt and dpkg utils)

==Lab 2==

7 points -
'''Managing disks by creating partitions''' (fdisk, mkfs, blkid, mount, umount)

5 points -
'''Managing swap''' (mkswap, swapon, swapoff)

=Practical tests=

==2016==

[https://docs.google.com/document/d/1FGZcqmQQDF1l32uPUJ6n8x2Tc4gK8nuxS-C9esgRqaQ/edit?usp=sharing First practical test 10th of May 2016]

[https://docs.google.com/document/d/1ZCqOOMkx0dwP0QXLIK_yk_08a8whfJmQbYR1mAoSh7M/edit Second pracical test 24th of May 2016]

=Exams=

==2016==

[https://docs.google.com/document/d/1ofiylCw9YAS8_S9YHEc8cZOvEfCfMfs2wDoc44eDyCU/edit?usp=sharing Practical exam]

[https://docs.google.com/document/d/1gkEDb1g1em9UGhj9n_LIwnhp17gY85U9aPtMfGk56_8/edit# Topics] of the oral exam in Spring 2016

=Wiki article information=

* Choose a topic from personal experience or from topics found on the wiki page

*Send the topic to the lecturer kloodus@itcollege.ee

*Lecturer will confirm the topic

*Write your article in wiki environment

*Inform the lecturer when the article is finished

*Receive feedback with corrections


Bare in mind that this is an open environment, so everything you write in your wiki article, will be public :) 

Helpful tips and requirements what is expected of your wiki article: https://docs.google.com/document/d/1TGmcv4CL0csigtzA_1Ti4Ndvvc6AjNchZwJe2Jc7OQc/edit#

===List of the topics chosen:===

[[User:akerge|Artur Kerge]] is doing an article on [[Irssi]].

[[OpenVPN_Access_Server|OpenVPN Access Server]] by [[User:aovtsinn|Artur Ovtsinnikov]]

[[Securing_database_with_command_line_linux#Aim_of_this_page| Securing database with command line Linux]] by [[User:malyhass|Mohanad Aly]]

[[SSH_for_beginners|SSH for beginners]] by [[User:ebarrier|Etienne Barrier]]

[https://wiki.itcollege.ee/index.php/Linux_File_Permissions#References| Linux File Permissions] by Sheela Raj

[https://wiki.itcollege.ee/index.php/User_talk:Lphanvan Attack A Website by Using Local Method ([[Local Attack]])] by Ender Phan

[https://wiki.itcollege.ee/index.php/Cowsay_English Cowsay] by Meelis Hass

[https://wiki.itcollege.ee/index.php/Sguil Sguil] by Kustas Kurval

[https://wiki.itcollege.ee/index.php/Radare2 Radare 2 - An Open Source alternative to IDA] by IT

Install Icinga2 on Ubuntu 16.04

2017-01-05T08:58:02Z

Itaal:

Author: Etienne Barrier

Co-Author: Indrek Taal (Add nodes to Icinga 2)

Last modified: 05.01.2017

==Preliminary notes==
This tutorial shows how to install Icinga 2 on Ubuntu 16.04 LTS, using PostgreSQL (as for database) and Apache 2 (as for webserver).

This tutorial does NOT show:
* how to install Icinga version 1
* how to install/configure databses other than PostgreSQL (for example MySQL, MariaDB, etc.)
* how to install/configure webservers other than Apache2 (for example Nginx)
* how to use Icinga2

It is assumed that you are already familiar with the basics of Linux command line terminal commands. But this tutorial is made so that you can copy paste the commands to your terminal.

Versions used in this tutorial:
* Icinga 2 (version: r2.5.4-1)
* Ubuntu 16.04.1 LTS (Xenial)
* PostgreSQL (version: 9.5.2)
* Apache 2 (version: 2.4.18)
* Php (version 7.0)

Depending on the versions you use, the commands and/or the path shown in this tutorial might be different.

All commands in this tutorial are made as root. You must be root or be able to use "sudo" command to install and configure Icinga.

The version of Icinga used (version 2) is referred sometimes as “Icinga” or “Icinga 2” accross the tutorial.

This tutorial is based on the following tutorials:
*[http://docs.icinga.org/icinga2/latest/doc/module/icinga2/chapter/getting-started Official Icinga 2 documentation]
*[https://github.com/Icinga/icingaweb2/blob/master/doc/02-Installation.md Official Icinga Web 2 installation documentation]
*[http://linoxide.com/ubuntu-how-to/install-icinga2-ubuntu-16-04 Linoxide "how to"]
*[https://lowendbox.com/blog/server-monitoring-with-icinga-2-part-1-the-server-ubuntu-host Lowendbox blog post]
*[https://lowendbox.com/blog/server-monitoring-with-icinga-2-part-2-the-node-ubuntu-host Lowendbox blog post 2]

For any comments, please write to ebarrier{at]itcollege[dot)ee.

==What is Icinga?==
Icinga 2 is an open source monitoring system which checks the availability of your network resources, notifies users of outages, and generates performance data for reporting.<ref>[http://docs.icinga.org/icinga2/latest/doc/module/icinga2/toc#!/icinga2/latest/doc/module/icinga2/chapter/about-icinga2#what-is-icinga2] Icinga2 official documentation</ref>

Icinga started as a Nagios fork and did quite well, mostly considering Icinga Web which was better than Nagios’ web interface. Icinga 2 is a complete rewrite and even adds a fancy new (optional) web interface which is responsive and customizable. On top of that, the communication between the monitoring server and the nodes it monitors has become more secure as NRPE has been ditched (it’s still available, just not prefered).<ref>[https://lowendbox.com/blog/server-monitoring-with-icinga-2-part-1-the-server-ubuntu-host] "Lowendbox" blog article about Icinga 2</ref>

Icinga is made of two parts - Icinga 2 and Icinga Web 2. The first one is the core of the software and the second is a web interface.

==Install Icinga 2 core==
Add Icinga's repository to the package management configuration.

<code>$ add-apt-repository ppa:formorer/icinga</code>

<code>$ apt update</code>

Install Icinga 2 package.

<code>$ apt install icinga2</code>

Check that Icinga is up and running

<code>$ service icinga2 status</code>

If it is not running, start it.

<code>$ service icinga2 start</code>

Make sure Icinga will start automatically on startup.

<code>$ systemctl enable icinga2.service</code>

==Install plugins==
===Nagios plugins===
To be able to check external services, Icinga needs monitoring plugins to know about them and to make sure they work properly. Available monitoring plugins are available on the [https://www.monitoring-plugins.org Monitoring Plugins Project website].

We install the main set of plugins that come from [https://www.nagios.org Nagios] monitoring solution.

''Note that Icinga service runs as user and group called "Nagios" (for historical reasons).''

<code>$ apt install nagios-plugins</code>

===Vim and Nano configuration syntax highlighting===
Icinga provides packages to highlight its configuration files using Nano and Vim utilities.

The package for Nano is included by default when installinIcinga2.

For Vim, do:

<pre>
$ apt install vim-icinga2 vim-addon-manager</code>
$ vim-addon-manager -w install icinga2
</pre>

==Install Apache web server==
Install Apache 2. Apache is a web server system that allows to access Icinga web interface.

<code>$ apt install apache2</code>

Apply a firewall rule to accept incoming tcp packets with destination port 80 (http). You may ignore this point if you have your own set of rules that you manage.

<pre>
$ iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ iptables-save
</pre>

==Install Icinga Web 2==
To install Icinga Web 2 package,add its repository to the package management system.

For other Ubuntu versions than Xenial, just replace “xenial” below with the desired distribution's code name (see the [http://packages.icinga.org/ubuntu packages list]).
<pre>
$ wget -O - http://packages.icinga.org/icinga.key | apt-key add -
$ add-apt-repository 'deb http://packages.icinga.org/ubuntu icinga-xenial main'
$ apt update
</pre>

Install Icinga Web 2.

<code>$ apt install icingaweb2</code>

==Install and configure PostgreSQL databases==
Icinga needs two databases to work: one main to store monitoring information (DB IDO: Database Icinga Data Output) and one to store Icinga users and groups information for its web interface.
We will install both of them manually.

===Install PostgreSQL===
Install PostgreSQL database system.

<code>$ apt install postgresql</code>

===Install IDO module for PostgreSQL===
Install Icinga IDO module for PostgreSQL.
It installs files and directories to enable the export and storage of monitoring information into a database.
We will install the database manually in our tutorial.

<code>$ apt install icinga2-ido-pgsql</code>

A wizard will start.

Say "'''No'''" to enable the IDO module for PostgreSQL, we do it manually later.

The wizard proposes to create and configure the database with "dbconfig-common". Choose “'''No'''” because we will do it manually (see below).

===Create Icinga users database===
Create the users database for Icinga.

First go to the /tmp directory because that is the default unix socket location for PostgreSQL.

<code>$ cd /tmp</code>

Create a role (similar to a user) for the database. The database will require to login and we choose a password. You can choose a different role name ("icingaweb") and a different password ("icingawebpass") than what is given as an example below. ''Remember them for later!''

<code>$ sudo -u postgres psql -c "CREATE ROLE icingaweb WITH LOGIN PASSWORD 'icingawebpass'"</code>

Create the database (“icingawebdb”) and we assign its owner as being “icingaweb” (created earlier) with UTF8 encoding.

<code>$ sudo -u postgres createdb -O icingaweb -E UTF8 icingawebdb</code>

===Create IDO database===
Create the main database for Icinga.

Make sure you are in the /tmp directory (default unix socket location for PostgreSQL).

<code>$ cd /tmp</code>

Create a role (similar to a user) for the database.

The database will require to login and we choose a password.

You can choose a different role name ("icingaido") and a different password ("icingaidopass") than what is given as an example below.

''Remember them for later!''

<code>$ sudo -u postgres psql -c "CREATE ROLE icingaido WITH LOGIN PASSWORD 'icingaidopass'"</code>

Create the database (“icingaidodb”) and we assign its owner as being “icingaido” (created earlier) with UTF8 encoding.

<code>$ sudo -u postgres createdb -O icingaido -E UTF8 icingaidodb</code>

Edit the file ''/etc/icinga2/features-available/ido-mysql.conf'' and insert the values you have chosen for the IDO database.

<pre>
object IdoMysqlConnection "ido-mysql" {
user = "icingaido",
password = "icingaidopass",
host = "localhost",
database = "icingaidodb"
}
</pre>

===Configure databases authentication===
PostgreSQL handles authentication to databases from a file which states which users can connect to which database using certain methods.
Previously we have created a roles and databases. We must tell PostgreSQL how these databases can be accessed and by whom.

Edit the pg_hba.conf in ''/etc/postgresql/*/main/pg_hba.conf'' and add the roles and databases we defined earlier user with md5 authentication method.
'md5' means that the user needs to authenticate with a password to access the database.

<pre>
# TYPE DATABASE USER ADDRESS METHOD
#icinga
local icingaidodb icingaido md5
host icingaidodb icingaido 127.0.0.1/32 md5
host icingaidodb icingaido ::1/128 md5

local icingawebdb icingaweb md5
host icingawebdb icingaweb 127.0.0.1/32 md5
host icingawebdb icingaweb ::1/128 md5
</pre>

Restart PostgreSQL

<code>$ service postgresql restart</code>

===Import database schemas===
So far Icinga can access both databases, but they are empty (not a single table, index, function).

Import the respective schemas for each of them.

'''''Import the web database schema'''''

This will populate the web database with tables and indexes,...
The password we setup for this role will be asked.

<source lang="bash">
$ psql -U icingaweb -d icingawebdb < /usr/share/icingaweb2/etc/schema/pgsql.schema.sql
</source>

<pre>
Password for user icingaweb:
</pre>

A list of statements such as “CREATE TABLE”, “CREATE INDEX” appears.

'''''Import the IDO database schema'''''

This will populate the IDO database with tables, indexes,...

<pre>
$ psql -U icingaido -d icingaidodb < /usr/share/icinga2-ido-pgsql/schema/pgsql.sql
Password for user icingaido:
</pre>

A long list of statements such as “CREATE FUNCTION”, “CREATE TABLE”, “CREATE INDEX” appears.

==Enable Icinga features==
Enable Icinga IDO for PostgreSQL and 'command' modules and restart Icinga.

<pre>
$ icinga2 feature enable ido-pgsql command
$ service icinga2 restart
</pre>

Check that ido-pgsql and command modules are enabled.

<code>$ icinga2 feature list</code>

By default the command module file is owned by the group "nagios" with read/write permissions. Add Apache user ("www-data") to the group "nagios" to enable sending commands to Icinga 2 through the web interface.

<code>$ usermod -a -G nagios www-data</code>

==Set up the web interface==
Open a browser and go to http://[server_ip]/icingaweb2/setup.

1. First is the welcome page asking to insert a token.

To get a token, do in your terminal <code>$ icingacli setup token create</code> and insert it on the page.

''Note: in case you need to see the token again, do <code>$ icingacli setup token show</code>.''

[[File:Icinga2 01 token.png|border|1000px|center]]

2. Choose the modules to install for Icinga Web 2.

For a normal usage, we suggest “Doc” and “Monitoring” modules.

[[File:Icinga2 02 modules.png|border|1000px|center]]

3. Icinga checks that all the requirements it needs are met. You may have some missing, in that case, you must fix them. We are not going to detail how to fix all of them but two that are likely to be missing.

[[File:Icinga2 03 modules incomplete.png|border|1000px|center]]

; '''“The PHP config ‘date.timezone’ is not defined”'''

:The page already guides you how to fix the Default TimeZone.

:Go to /etc/php/7.0/apache2/php.ini file, uncomment and set the line '''date.timezone =''' with your time zone.

:For example <code>date.timezone = Europe/Tallinn</code> (see the [http://php.net/manual/en/timezones.php list of php time zones]).

; '''“The PHP module PDO-PostgreSQL is missing”'''

:Install the missing module.<code>$ apt install php-pgsql</code>

:In /etc/php/7.0/apache2/php.ini, add these lines to enable the extension/module
<pre>
extension=pdo_pgsql.so
extension=pgsql.so
</pre>

Restart the web server to apply the new configuration

<code>$ service apache2 restart</code>

Click the button “Refresh” at the bottom of the page to check the the requirements are now met.

[[File:Icinga2 04 modules complete.png|border|1000px|center]]

4. Choose “Database” for authentication unless you specifically want to authenticate using LDAP or another way.

[[File:Icinga2 05 authentication.png|border|1000px|center]]

5. Enter the credentials that we set up for users and groups database, and check that the configuration is correct by clicking on “Validate configuration”.

[[File:Icinga2 06 database resource.png|border|1000px|center]]

6. Use the default backend name “icingaweb2”.

[[File:Icinga2 07 authentication backend.png|border|1000px|center]]

7. Choose the credentials that will be asked when you will log into Icinga’s web interface to access the monitoring dashboard.

'''Remember these credentials!''' (for point 16 below).

[[File:Icinga2 08 administration.png|border|1000px|center]]

8. Leave the default application and logging configuration unless you know what you are doing.

[[File:Icinga2 09 application configuration.png|border|1000px|center]]

9. Check that the configuration is correct and continue.

[[File:Icinga2 10 summary.png|border|1000px|center]]

10. You arrive to the configuration of the monitoring module.

[[File:Icinga2 11 monitoring welcome.png|border|1000px|center]]

11. Leave the defaults values for the monitoring backend ("IDO").

[[File:Icinga2 12 monitoring backend.png|border|1000px|center]]

12. Insert values you chose for the IDO database and check that the configuration is correct by clicking on “Validate configuration”.

''The values are also in the file /etc/icinga2/features-enabled/ido-pgsql.conf.''

[[File:Icinga2 13 monitoring IDO resource.png|border|1000px|center]]

13. Leave the defaults values for the command transport.

[[File:Icinga2 14 command transport.png|border|1000px|center]]

14. Leave the defaults values for the monitoring security.

[[File:Icinga2 15 monitoring security.png|border|1000px|center]]

15. Check that the configuration is correct and finish.

[[File:Icinga2 16 monitoring summary.png|border|1000px|center]]

[[File:Icinga2 17 congratulations.png|border|1000px|center]]

16. Login to Icinga 2 using the credentials on point 7.

[[File:Icinga2 18 login.png|border|300px|center]]

==Add nodes to Icinga 2==

===The server node===

In order to be able to add hosts securely, we have to go to the server and run the following command:

<pre>$ sudo icinga2 node wizard</pre>

This will start a wizard which will first ask you whether this is a satellite setup or not. Since this is the server or master you have to say ‘No’ here, to input an ‘n’:

Please specify if this is a satellite setup (‘n’ installs a master setup) [Y/n]: n

It then starts generating keys are certificates required for secured TLS communication. In addition to that, it adds these to the configuration, plus it ensures this server is listed as the master:

<pre>information/base: Writing private key to ‘/var/lib/icinga2/ca/ca.key’.
information/base: Writing X509 certificate to ‘/var/lib/icinga2/ca/ca.crt’.
information/cli: Initializing serial file in ‘/var/lib/icinga2/ca/serial.txt’.
information/cli: Generating new CSR in ‘/etc/icinga2/pki/icinga-server.csr’.
information/base: Writing private key to ‘/etc/icinga2/pki/icinga-server.key’.
information/base: Writing certificate signing request to ‘/etc/icinga2/pki/icinga-server.csr’.
information/base: Writing private key to ‘/etc/icinga2/pki/icinga-server.key’.
information/base: Writing certificate signing request to ‘/etc/icinga2/pki/icinga-server.csr’.
information/cli: Signing CSR with CA and writing certificate to ‘/etc/icinga2/pki/icinga-server.crt’.
information/cli: Copying CA certificate to ‘/etc/icinga2/pki/ca.crt’.
information/cli: Dumping config items to file ‘/etc/icinga2/zones.conf’.
information/cli: Created backup file ‘/etc/icinga2/zones.conf.orig’.</pre>

It then asks you for the host and port for the API. We have no reason to change these, so leave these empty:

<pre>Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []:</pre>

It then finalizes setting up this server as a master my editing some more configuration files:

<pre>information/cli: Enabling the APIlistener feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Created backup file ‘/etc/icinga2/features-available/api.conf.orig’.
information/cli: Updating constants.conf.
information/cli: Created backup file ‘/etc/icinga2/constants.conf.orig’.
information/cli: Updating constants file ‘/etc/icinga2/constants.conf’.
information/cli: Updating constants file ‘/etc/icinga2/constants.conf’.
Done.</pre>

Now restart your Icinga 2 daemon to finish the installation!

With that done, restart Icinga 2 in order to use the new settings:

<pre>$ sudo service icinga2 restart</pre>

And the master is good for now. Let’s move on to the host node!

===The host node===

On the host node, we’re first going to have to ensure the Icinga 2 repository is present:

<pre>$ add-apt-repository ppa:formorer/icinga</pre>

Press ENTER when it asks you to.

Note: If this command gives you an error, run ‘sudo apt-get install software-properties-common’ to get the ‘add-apt-repository’ command!

Once the repository has been added, update apt:

<pre>$ sudo apt-get update</pre>

And install Icinga 2:

<pre>$ sudo apt-get install icinga2</pre>

With that out of the way, we can initiate the same wizard as we did on the master:

<pre>$ sudo icinga2 node wizard</pre>

This time we answer ‘Yes’ when it asks us if this is a satellite setup by just hitting ENTER:

<pre>Please specify if this is a satellite setup (‘n’ installs a master setup) [Y/n]:</pre>

After which is starts a different wizard:

<pre>Starting the Node setup routine…
Please specifiy the common name (CN) [icinga-node]:
Please specifiy the local zone name [icinga-node]:</pre>

It asks you for the common name and the local zone name for this server. These default to the system’s hostname in fully qualified domain name format. These master uses the common name to connect to the server and the local zone name to identify it in configuration files. I just let these be.

It then goes on to ask you about your master node:

<pre>Please specify the master endpoint(s) this node should connect to:
Master Common Name (CN from your master setup): icinga-server
Do you want to establish a connection to the master from this node? [Y/n]:</pre>

Please enter the Common Name of your master node (in my case ‘icinga-server’). This is usually the hostname unless you’ve changed it. Then press ENTER when asked if you want to establish a connection to the master from this node. This triggers the next question:

<pre>Please fill out the master connection information:
Master endpoint host (Your master’s IP address or FQDN): icinga-server
Master endpoint port [5665]:
Add more master endpoints? [y/N]:</pre>

Enter the master’s IP address or Fully Qualified Domain Name (FQDN) here and accept the default port. Also press ENTER in order to not add more endpoints: we’re just working with one master right now.

Then it’s on to the connection for CSR auto-signing, the bit of magic that makes setting up a secure connection a bit easier for you:

<pre>Please specify the master connection for CSR auto-signing (defaults to master endpoint host):
Host [icinga-server]:
Port [5665]:</pre>

Accept the defaults here as well, because the master we have entered before is also our server for CSR auto-signing.

After this, Icinga 2 is going to save some configuration on the host node and start the setup of a secure connection. As part of this process the master is contacted:

<pre>information/base: Writing private key to ‘/etc/icinga2/pki/icinga-node.key’.
information/base: Writing X509 certificate to ‘/etc/icinga2/pki/icinga-node.crt’.
information/cli: Generating self-signed certifiate:
information/cli: Fetching public certificate from master (icinga-server, 5665):

information/cli: Writing trusted certificate to file ‘/etc/icinga2/pki/trusted-master.crt’.
information/cli: Stored trusted master certificate in ‘/etc/icinga2/pki/trusted-master.crt’.</pre>

The certificate that has been set up needs to be signed in order to prove that you’re actually in command of both servers and approve of this secure communication:

<pre>Please specify the request ticket generated on your Icinga 2 master.
(Hint: # icinga2 pki ticket –cn ‘icinga-node’):</pre>

This means you need to run the following command on the master:

<pre>$ sudo icinga2 pki ticket –cn ‘icinga-node’</pre>

And copy the output from that command, which looks like ‘ff84267fca3b0b29c4c88d94706c76f4247cac34’ to the host node.

<pre>information/cli: Processing self-signed certificate request. Ticket ‘ff84267fca3b0b29c4c88d94706c76f4247cac34’.

information/cli: Created backup file ‘/etc/icinga2/pki/icinga-node.crt.orig’.
information/cli: Writing signed certificate to file ‘/etc/icinga2/pki/icinga-node.crt’.
information/cli: Writing CA certificate to file ‘/etc/icinga2/pki/ca.crt’.</pre>

With all certificates signed and in place, we’re asked about the API again:

<pre>Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []:</pre>

Just like at the master, we’re not going to touch these here.

The wizard now asks you whether to accept the configuration and commands from the master:

<pre>Accept config from master? [y/N]: y
Accept commands from master? [y/N]: y</pre>

Select ‘Yes’ for both. Unfortunately, the Icinga 2 documentation is a bit fuzzy on this part. There are several ways to setup up a client, for example with a local configuration or as an execution bridge. I’m aiming for the latter of the two here: the master is in control and sends commands, the host node just executes them and returns the results. This is closest to what NRPE does and should keep all the data on the master.

With this done, everything is being put in place to make this work:

<pre>information/cli: Disabling the Notification feature.
Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Enabling the Apilistener feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Created backup file ‘/etc/icinga2/features-available/api.conf.orig’.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file ‘/etc/icinga2/zones.conf’.
information/cli: Created backup file ‘/etc/icinga2/zones.conf.orig’.
information/cli: Updating constants.conf.
information/cli: Created backup file ‘/etc/icinga2/constants.conf.orig’.
information/cli: Updating constants file ‘/etc/icinga2/constants.conf’.
information/cli: Updating constants file ‘/etc/icinga2/constants.conf’.
Done.

Now restart your Icinga 2 daemon to finish the installation!
</pre>
After which you need to restart Icinga 2 on the host node:

<pre>$ sudo service icinga2 restart</pre>

And it’s back to the master.
Back to the server node (the master)

With the host node set up properly, only a few things remain on the master to be set up. First of all, we want to list the nodes on the master to see if our new host node is in there:

<pre>$ sudo icinga2 node list</pre>

The output should include the node you’ve just added.

Then, we update the configuration on the master so the host node is being included in checks, or in other words is being added to the master:

<pre>$ sudo icinga2 node update-config</pre>

If it did not work first time try changing permission of icinga2 directory to 755 ( with -R ).

The only thing that remains right now is to reload Icinga 2:

<pre>$ sudo service icinga2 reload</pre>

==Summary from the author==
The installation is really difficult.

Although the official documentation is well written and gives detailed commands for different distributions and databases, it lacks crucial explanations to understand to the user what it is being done.

Here are a few problems we encountered:
# The installation documentation for [http://docs.icinga.org/icinga2/latest/doc/module/icinga2/chapter/getting-started Icinga 2] and [https://github.com/Icinga/icingaweb2/blob/master/doc/02-Installation.md Official Icinga Web 2] are not at the same place and are not consistent in their format and style.
# Icinga2 IDO package has a wizard to create and configure the IDO database (which non-experienced users will probably follow), but it is not absolutely clear in the documentation that if you follow the wizard, you do not need to create the IDO database manually afterwards.
# If you follow the wizard, the IDO database name and user will have default values. The user will only have to choose the password. But when the user arrives to web interface where he must enter the credentials of this database, there is no indication that he can find them in a configuration file.
# According to Icinga documentation, the users database can be created automatically by the web interface at the end of the procedure. But experience showed that it never worked (errors occur). The user is left with the documentation that does not explain how to create this users database manually (which we took a long time to figure out).
# In case of problem during installation, a user who is not familiar with his database system will have trouble debugging. The web interface does not provide useful solutions.

I would not recommend Icinga with the experience I have, unless you follow this guide.

==References==
{{reflist|30em}}

Splunk

2017-01-05T08:25:55Z

Itaal:

==== Splunk ====

[[File:Splunk.jpg]]<ref>[http://www.slideshare.net/Splunk/getting-started-with-splunk-enterprise-56028566 Getting Started with Splunk Enterprise]</ref>

Splunk<ref>[http://docs.splunk.com/Documentation/Splunk/6.5.1/Installation/Whatsinthismanual Splunk Enterprise Installation Manual]</ref> is a powerful log database that can be used for analysis of any sort of log data through its easy to use search engine. Security logs, Syslog, Web server logs and Windows logs are just the beginning. One of the great features of Splunk is that you can feed pretty much any log into it and start searching.
Splunk is not open source, it is commercial however it does have a Free option that allows up to 500mb of data to be added into the system per day. For larger volume than 500mb per day the licensing costs start to add up. Splunk installation under Ubuntu is so easy, you can fire up an instance to do ad-hoc analysis of static log
=== Why splunk ? ===
Their features site says it - to Collect and Index All Log Files while having very flexible data input choises. Good example of use is for Mashine Learning.
https://www.splunk.com/en_us/products/splunk-light/features.html
===Open Source Splunk Alternative ===
If you are interesting in a purely Open Source log search engine, take a look at Greylog2.
=== About Splunk Free===
Splunk Free is the totally free version of Splunk. The Free license lets you index up to 500 MB per day and will never expire.
The 500 MB limit refers to the amount of new data you can add (we call this indexing) per day. But you can keep adding data every day, storing as much as you want. For example, you could add 500 MB of data per day and eventually have 10 TB of data in Splunk Enterprise.

If you need more than 500 MB/day, you'll need to purchase an Enterprise license. See How Splunk licensing works for more information about licensing.
Splunk Free regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk Free continues to index your data, but disables search functionality until you are back down to 3 or fewer warnings in the 30 day period.
=== Is Splunk Free for you? ===
Splunk Free is designed for personal, ad hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500 MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets
Splunk Free lets you bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets.
=== What is included with Splunk Free? ===
Splunk Free is a single-user product. All Splunk Enterprise features are supported, with the following exceptions:
*Distributed search configurations (including search head clustering) are not available.
*Forwarding in TCP/HTTP formats is not available. This means you can forward data to other Splunk platform instances, but not to non-Splunk software.
*Deployment management capabilities are not available.
*Alerting (monitoring) is not available.
*Indexer clustering is not available.
*Report acceleration summaries are not available.
*While a Splunk Free instance can be used as a forwarder (to a Splunk Enterprise indexer) it cannot be the client of a deployment server.
*There is no authentication or user and role management when using Splunk Free. This means:
*There is no login. The command line or browser can access and control all aspects of Splunk Free with no user/password prompt.
*All accesses are treated as equivalent to the admin user. There is only one role (admin), and it is not configurable. You cannot add more roles or create user accounts.
*Searches are run against all public indexes, 'index=*'.
*Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported.
*The capability system is disabled. All available capabilities are enabled for all users accessing Splunk Free.

=== Ways you can configure Splunk software ===
Splunk software maintains its configuration information in a set of configuration files. You can configure Splunk by using any (or all!) of these methods:
*Use Splunk Web.
*Use Splunk's Command Line Interface (CLI) commands.
*Edit Splunk's configuration files directly.
*Use App setup screens that use the Splunk REST API to update configurations.
All of these methods change the contents of the underlying configuration files. You may find different methods handy in different situations.
===Use Splunk Web===
You can perform most common configuration tasks in Splunk Web. Splunk Web runs by default on port 8000 of the host on which it is installed:
If you're running Splunk on your local machine, the URL to access Splunk Web is http://localhost:8000.
If you're running Splunk on a remote machine, the URL to access Splunk Web is http://<hostname>:8000, where <hostname> is the name of the machine Splunk is running on.
Administration menus can be found under Settings in the Splunk Web menu bar.
===Edit configuration files===
Most of Splunk's configuration information is stored in .conf files. These files are located under your Splunk installation directory (usually referred to in the documentation as $SPLUNK_HOME) under /etc/system. In most cases you can copy these files to a local directory and make changes to these files with your preferred text editor.
===Use Splunk CLI===
Many configuration options are available via the CLI. These options are documented in the CLI chapter in this manual. You can also get CLI help reference with the help command while Splunk is running:
'''./splunk help'''

=== Feed Splunk Data and Search!===
Start getting data in the system and then you can search on that data. Data can be input from simple files for some one off analysis, it can read known log files or can listen on a port similar to a syslog server. It is very flexible, for example running it on a TCP port you could even use netcat to pipe a file over the network into Splunk server, or have a syslog server forward some of its logs to the Splunk instance. This would leave you with your existing syslog infrastructure intact for archival purposes but you also have the Splunk instance for easy analysis.
Now you are up to the point where it depends on your network and requirements, so think about how you are going to use it, feed it some data and start searching for stuff. The stuff could be configuration issues, errors, utilization trends or security events. If you want to do some easy testing, just grab a web server log file or other log and feed it in directly with the a file or directory option.

===Configure the universal forwarder===
Before a forwarder can forward data, it must have a configuration. A configuration:
*Tells the forwarder what data to send.
*Tells it where to send the data.

Because the universal forwarder does not have Splunk Web, you must give the forwarder a configuration either during the installation (on Windows systems only) or later, as a separate step. To perform post-installation configuration, you can:
*Use the CLI. The CLI lets you do nearly all configuration in a small number of steps, but does not give you full access to the feature set of the forwarder.
*Create or modify configuration files on the forwarder directly.
*Use a deployment server. The deployment server can ease distribution of configurations, but does not make a forwarder forward data by itself. You must use the deployment server to deliver configurations to the forwarders so that they collect the data you want and send it to the place you want.

=== About configuring the universal forwarder with configuration files ===
Configuration files are text files that the universal forwarder reads when it starts up or when you reload a configuration. Forwarders must read configuration files to know where to get and send data. These files give you full access to the forwarder feature set, but editing configuration files can be difficult or mistake-prone at times.
Key configuration files are:
*'''inputs.conf''' controls how the forwarder collects data.
*'''outputs.conf''' controls how the forwarder sends data to an indexer or other forwarder.
*'''server.conf''' for connection and performance tuning.
*'''deploymentclient.conf''' for connecting to a deployment server.
You make changes to configuration files by editing them with a text editor. You can use any editor that you want as long as it can write files in ASCII/UTF-8 format.
The forwarder works with configurations for forwarding data in outputs.conf in $SPLUNK_HOME/etc/system/local/). See Configure forwarding with outputs.conf.
The universal forwarder has a SplunkUniversalForwarder app, which includes preconfigured settings that let the forwarder run in a streamlined mode. Do not edit any configuration files within that app unless you receive specific instructions.
===Best practices for deploying configuration updates across universal forwarders===
You can use the following methods to deploy configuration updates across your set of universal forwarders:
*Edit or copy the configuration files for each universal forwarder manually (This is only useful for small deployments.)
*Use the Splunk deployment server to push configured apps to your set of universal forwarders.
*Use your own deployment tools (puppet or Chef on *nix or System Center Configuration Manager on Windows) to push configuration changes.
=== Configure the universal forwarder from the CLI ===
The CLI lets you configure most forwarding parameters without having to edit configuration files. It does not give you full access to all forwarding parameters, and you must edit configuration files in those cases.
When you make configuration changes with the CLI, the universal forwarder writes the configuration files. This prevents typos and other mistakes that can occur when you edit configuration files directly.
The forwarder writes configurations for forwarding data to outputs.conf in $SPLUNK_HOME/etc/system/local/).
Examples for using the CLI to configure a universal forwarder
Following are example procedures on how to configure a universal forwarder to connect to a receiving indexer.

===Configure the universal forwarder to connect to a receiving indexer===

From a shell or command prompt on the forwarder, run the command:
*'''./splunk add forward-server <host name or ip address>:<listening port>'''

For example, to connect to the receiving indexer with the hostname idx.mycompany.com and that host listens on port 9997 for forwarders, type in:
*'''./splunk add forward-server idx1.mycompany.com:9997'''

===Configure the universal forwarder to connect to a deployment server===

From a shell or command prompt on the forwarder, run the command:
*'''./splunk set deploy-poll <host name or ip address>:<management port>'''

For example, if you want to connect to the deployment server with the hostname ds1.mycompany.com on the default management port of 8089, type in:
*'''./splunk set deploy-poll ds1.mycompany.com:8089'''

===Configure a data input on the forwarder===
Determine what data you want to collect.
*From a shell or command prompt on the forwarder, run the command that enables that data input. For example, to monitor the /var/log directory on the host with the universal forwarder installed, type in:
'''./splunk add monitor /var/log'''
*The forwarder asks you to authenticate and begins monitoring the specified directory immediately after you log in.
'''Restart''' the universal forwarder
Some configuration changes might require that you restart the forwarder.

To restart the universal forwarder, use the same CLI restart command that you use to restart a full Splunk Enterprise instance:

On Windows: Go to %SPLUNK_HOME%\bin and run this command:
*'''splunk restart'''

On *nix systems: From a shell prompt on the host, go to $SPLUNK_HOME/bin, and run this command:
*'''./splunk restart'''
===Configure forwarding with outputs.conf===
The '''outputs.conf''' file defines how forwarders send data to receivers. You can specify some output configurations at installation time (Windows universal forwarders only) or the CLI, but most advanced configuration settings require that you edit '''outputs.conf'''.
The topics that describe various forwarding topologies, such as load balancing and intermediate forwarding, provide detailed examples on configuring outputs.conf to support those topologies.
Although outputs.conf is a required file for configuring forwarders, it addresses only the outputs from the forwarder, where you want the forwarder to send the data it collects. To specify the data that you want to collect from the forwarder, you must separately configure the inputs, as you would for any Splunk instance.
===Edit outputs.conf to configure forwarding===
This procedure details the steps you must take to edit the default '''outputs.conf''' which is in $SPLUNK_HOME/etc/system/local.

#On the host that forwards that data that you want to collect, open a shell or command prompt or PowerShell window.
#Go to the configuration directory for the forwarder.
Unix
*cd $SPLUNK_HOME/etc/system/local
Windows
*cd %SPLUNK_HOME%\etc\system\local
#Open outputs.conf for editing with a text editor.
Unix
*vi outputs.conf
Windows
*notepad outputs.conf
Edit outputs.conf. Add a minimum of at least one forwarding target group or a single receiving host.
#Save the outputs.conf file and close it.
#Restart the universal forwarder to complete your changes.
Unix
*cd $SPLUNK_HOME/bin
*./splunk restart
Windows
*cd %SPLUNK_HOME%\bin
*.\splunk restart

===TL;DR===

==Install Splunk==

#Run the dpkg command to install Splunk Light into the default directory.

pkg -i splunk_package_name.deb

You cannot install the DEB package into another directory.

#Start Splunk.

./splunk start --accept-license

==Configure the universal forwarder to connect to a deployment server==

#For Forwarder, from a shell or command prompt on the forwarder, run the command:

./splunk set deploy-poll <host name or ip address>:<management port>

#Configure a data input on the forwarder

./splunk add monitor /var/log

#Restart the universal forwarder
./splunk restart

==Configure your inputs==

#Edit inputs.conf

Ex.
# The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10.
# All data is assigned the host "webhead-1", the sourcetype "access_common" and the
# the source "//10.1.1.10/var/log/apache/access.log".

[tcp://10.1.1.10:9995]
host = webhead-1
sourcetype = access_common
source = //10.1.1.10/var/log/apache/access.log

More examples and info.
http://docs.splunk.com/Documentation/Splunk/6.5.1/admin/Inputsconf
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitorfilesanddirectorieswithinputs.conf

==Splunk Web==

#Login to Splunk Web

The Splunk Web interface is at http://localhost:8000

#Enter credentsials
<pre>
username: admin
password: changeme
</pre>

==References==

{{reflist|30em}}

Splunk

2017-01-05T08:25:12Z

Itaal:

==== Splunk ====

[[File:Splunk.jpg]]<ref>[http://www.slideshare.net/Splunk/getting-started-with-splunk-enterprise-56028566 ]</ref>

Splunk<ref>[http://docs.splunk.com/Documentation/Splunk/6.5.1/Installation/Whatsinthismanual Splunk Enterprise Installation Manual]</ref> is a powerful log database that can be used for analysis of any sort of log data through its easy to use search engine. Security logs, Syslog, Web server logs and Windows logs are just the beginning. One of the great features of Splunk is that you can feed pretty much any log into it and start searching.
Splunk is not open source, it is commercial however it does have a Free option that allows up to 500mb of data to be added into the system per day. For larger volume than 500mb per day the licensing costs start to add up. Splunk installation under Ubuntu is so easy, you can fire up an instance to do ad-hoc analysis of static log
=== Why splunk ? ===
Their features site says it - to Collect and Index All Log Files while having very flexible data input choises. Good example of use is for Mashine Learning.
https://www.splunk.com/en_us/products/splunk-light/features.html
===Open Source Splunk Alternative ===
If you are interesting in a purely Open Source log search engine, take a look at Greylog2.
=== About Splunk Free===
Splunk Free is the totally free version of Splunk. The Free license lets you index up to 500 MB per day and will never expire.
The 500 MB limit refers to the amount of new data you can add (we call this indexing) per day. But you can keep adding data every day, storing as much as you want. For example, you could add 500 MB of data per day and eventually have 10 TB of data in Splunk Enterprise.

If you need more than 500 MB/day, you'll need to purchase an Enterprise license. See How Splunk licensing works for more information about licensing.
Splunk Free regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk Free continues to index your data, but disables search functionality until you are back down to 3 or fewer warnings in the 30 day period.
=== Is Splunk Free for you? ===
Splunk Free is designed for personal, ad hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500 MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets
Splunk Free lets you bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets.
=== What is included with Splunk Free? ===
Splunk Free is a single-user product. All Splunk Enterprise features are supported, with the following exceptions:
*Distributed search configurations (including search head clustering) are not available.
*Forwarding in TCP/HTTP formats is not available. This means you can forward data to other Splunk platform instances, but not to non-Splunk software.
*Deployment management capabilities are not available.
*Alerting (monitoring) is not available.
*Indexer clustering is not available.
*Report acceleration summaries are not available.
*While a Splunk Free instance can be used as a forwarder (to a Splunk Enterprise indexer) it cannot be the client of a deployment server.
*There is no authentication or user and role management when using Splunk Free. This means:
*There is no login. The command line or browser can access and control all aspects of Splunk Free with no user/password prompt.
*All accesses are treated as equivalent to the admin user. There is only one role (admin), and it is not configurable. You cannot add more roles or create user accounts.
*Searches are run against all public indexes, 'index=*'.
*Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported.
*The capability system is disabled. All available capabilities are enabled for all users accessing Splunk Free.

=== Ways you can configure Splunk software ===
Splunk software maintains its configuration information in a set of configuration files. You can configure Splunk by using any (or all!) of these methods:
*Use Splunk Web.
*Use Splunk's Command Line Interface (CLI) commands.
*Edit Splunk's configuration files directly.
*Use App setup screens that use the Splunk REST API to update configurations.
All of these methods change the contents of the underlying configuration files. You may find different methods handy in different situations.
===Use Splunk Web===
You can perform most common configuration tasks in Splunk Web. Splunk Web runs by default on port 8000 of the host on which it is installed:
If you're running Splunk on your local machine, the URL to access Splunk Web is http://localhost:8000.
If you're running Splunk on a remote machine, the URL to access Splunk Web is http://<hostname>:8000, where <hostname> is the name of the machine Splunk is running on.
Administration menus can be found under Settings in the Splunk Web menu bar.
===Edit configuration files===
Most of Splunk's configuration information is stored in .conf files. These files are located under your Splunk installation directory (usually referred to in the documentation as $SPLUNK_HOME) under /etc/system. In most cases you can copy these files to a local directory and make changes to these files with your preferred text editor.
===Use Splunk CLI===
Many configuration options are available via the CLI. These options are documented in the CLI chapter in this manual. You can also get CLI help reference with the help command while Splunk is running:
'''./splunk help'''

=== Feed Splunk Data and Search!===
Start getting data in the system and then you can search on that data. Data can be input from simple files for some one off analysis, it can read known log files or can listen on a port similar to a syslog server. It is very flexible, for example running it on a TCP port you could even use netcat to pipe a file over the network into Splunk server, or have a syslog server forward some of its logs to the Splunk instance. This would leave you with your existing syslog infrastructure intact for archival purposes but you also have the Splunk instance for easy analysis.
Now you are up to the point where it depends on your network and requirements, so think about how you are going to use it, feed it some data and start searching for stuff. The stuff could be configuration issues, errors, utilization trends or security events. If you want to do some easy testing, just grab a web server log file or other log and feed it in directly with the a file or directory option.

===Configure the universal forwarder===
Before a forwarder can forward data, it must have a configuration. A configuration:
*Tells the forwarder what data to send.
*Tells it where to send the data.

Because the universal forwarder does not have Splunk Web, you must give the forwarder a configuration either during the installation (on Windows systems only) or later, as a separate step. To perform post-installation configuration, you can:
*Use the CLI. The CLI lets you do nearly all configuration in a small number of steps, but does not give you full access to the feature set of the forwarder.
*Create or modify configuration files on the forwarder directly.
*Use a deployment server. The deployment server can ease distribution of configurations, but does not make a forwarder forward data by itself. You must use the deployment server to deliver configurations to the forwarders so that they collect the data you want and send it to the place you want.

=== About configuring the universal forwarder with configuration files ===
Configuration files are text files that the universal forwarder reads when it starts up or when you reload a configuration. Forwarders must read configuration files to know where to get and send data. These files give you full access to the forwarder feature set, but editing configuration files can be difficult or mistake-prone at times.
Key configuration files are:
*'''inputs.conf''' controls how the forwarder collects data.
*'''outputs.conf''' controls how the forwarder sends data to an indexer or other forwarder.
*'''server.conf''' for connection and performance tuning.
*'''deploymentclient.conf''' for connecting to a deployment server.
You make changes to configuration files by editing them with a text editor. You can use any editor that you want as long as it can write files in ASCII/UTF-8 format.
The forwarder works with configurations for forwarding data in outputs.conf in $SPLUNK_HOME/etc/system/local/). See Configure forwarding with outputs.conf.
The universal forwarder has a SplunkUniversalForwarder app, which includes preconfigured settings that let the forwarder run in a streamlined mode. Do not edit any configuration files within that app unless you receive specific instructions.
===Best practices for deploying configuration updates across universal forwarders===
You can use the following methods to deploy configuration updates across your set of universal forwarders:
*Edit or copy the configuration files for each universal forwarder manually (This is only useful for small deployments.)
*Use the Splunk deployment server to push configured apps to your set of universal forwarders.
*Use your own deployment tools (puppet or Chef on *nix or System Center Configuration Manager on Windows) to push configuration changes.
=== Configure the universal forwarder from the CLI ===
The CLI lets you configure most forwarding parameters without having to edit configuration files. It does not give you full access to all forwarding parameters, and you must edit configuration files in those cases.
When you make configuration changes with the CLI, the universal forwarder writes the configuration files. This prevents typos and other mistakes that can occur when you edit configuration files directly.
The forwarder writes configurations for forwarding data to outputs.conf in $SPLUNK_HOME/etc/system/local/).
Examples for using the CLI to configure a universal forwarder
Following are example procedures on how to configure a universal forwarder to connect to a receiving indexer.

===Configure the universal forwarder to connect to a receiving indexer===

From a shell or command prompt on the forwarder, run the command:
*'''./splunk add forward-server <host name or ip address>:<listening port>'''

For example, to connect to the receiving indexer with the hostname idx.mycompany.com and that host listens on port 9997 for forwarders, type in:
*'''./splunk add forward-server idx1.mycompany.com:9997'''

===Configure the universal forwarder to connect to a deployment server===

From a shell or command prompt on the forwarder, run the command:
*'''./splunk set deploy-poll <host name or ip address>:<management port>'''

For example, if you want to connect to the deployment server with the hostname ds1.mycompany.com on the default management port of 8089, type in:
*'''./splunk set deploy-poll ds1.mycompany.com:8089'''

===Configure a data input on the forwarder===
Determine what data you want to collect.
*From a shell or command prompt on the forwarder, run the command that enables that data input. For example, to monitor the /var/log directory on the host with the universal forwarder installed, type in:
'''./splunk add monitor /var/log'''
*The forwarder asks you to authenticate and begins monitoring the specified directory immediately after you log in.
'''Restart''' the universal forwarder
Some configuration changes might require that you restart the forwarder.

To restart the universal forwarder, use the same CLI restart command that you use to restart a full Splunk Enterprise instance:

On Windows: Go to %SPLUNK_HOME%\bin and run this command:
*'''splunk restart'''

On *nix systems: From a shell prompt on the host, go to $SPLUNK_HOME/bin, and run this command:
*'''./splunk restart'''
===Configure forwarding with outputs.conf===
The '''outputs.conf''' file defines how forwarders send data to receivers. You can specify some output configurations at installation time (Windows universal forwarders only) or the CLI, but most advanced configuration settings require that you edit '''outputs.conf'''.
The topics that describe various forwarding topologies, such as load balancing and intermediate forwarding, provide detailed examples on configuring outputs.conf to support those topologies.
Although outputs.conf is a required file for configuring forwarders, it addresses only the outputs from the forwarder, where you want the forwarder to send the data it collects. To specify the data that you want to collect from the forwarder, you must separately configure the inputs, as you would for any Splunk instance.
===Edit outputs.conf to configure forwarding===
This procedure details the steps you must take to edit the default '''outputs.conf''' which is in $SPLUNK_HOME/etc/system/local.

#On the host that forwards that data that you want to collect, open a shell or command prompt or PowerShell window.
#Go to the configuration directory for the forwarder.
Unix
*cd $SPLUNK_HOME/etc/system/local
Windows
*cd %SPLUNK_HOME%\etc\system\local
#Open outputs.conf for editing with a text editor.
Unix
*vi outputs.conf
Windows
*notepad outputs.conf
Edit outputs.conf. Add a minimum of at least one forwarding target group or a single receiving host.
#Save the outputs.conf file and close it.
#Restart the universal forwarder to complete your changes.
Unix
*cd $SPLUNK_HOME/bin
*./splunk restart
Windows
*cd %SPLUNK_HOME%\bin
*.\splunk restart

===TL;DR===

==Install Splunk==

#Run the dpkg command to install Splunk Light into the default directory.

pkg -i splunk_package_name.deb

You cannot install the DEB package into another directory.

#Start Splunk.

./splunk start --accept-license

==Configure the universal forwarder to connect to a deployment server==

#For Forwarder, from a shell or command prompt on the forwarder, run the command:

./splunk set deploy-poll <host name or ip address>:<management port>

#Configure a data input on the forwarder

./splunk add monitor /var/log

#Restart the universal forwarder
./splunk restart

==Configure your inputs==

#Edit inputs.conf

Ex.
# The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10.
# All data is assigned the host "webhead-1", the sourcetype "access_common" and the
# the source "//10.1.1.10/var/log/apache/access.log".

[tcp://10.1.1.10:9995]
host = webhead-1
sourcetype = access_common
source = //10.1.1.10/var/log/apache/access.log

More examples and info.
http://docs.splunk.com/Documentation/Splunk/6.5.1/admin/Inputsconf
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitorfilesanddirectorieswithinputs.conf

==Splunk Web==

#Login to Splunk Web

The Splunk Web interface is at http://localhost:8000

#Enter credentsials
<pre>
username: admin
password: changeme
</pre>

==References==

{{reflist|30em}}

Install Icinga2 on Ubuntu 16.04

2017-01-04T10:42:00Z

Itaal:

Author: Etienne Barrier

Last modified: 17.11.2016

==Preliminary notes==
This tutorial shows how to install Icinga 2 on Ubuntu 16.04 LTS, using PostgreSQL (as for database) and Apache 2 (as for webserver).

This tutorial does NOT show:
* how to install Icinga version 1
* how to install/configure databses other than PostgreSQL (for example MySQL, MariaDB, etc.)
* how to install/configure webservers other than Apache2 (for example Nginx)
* how to use Icinga2

It is assumed that you are already familiar with the basics of Linux command line terminal commands. But this tutorial is made so that you can copy paste the commands to your terminal.

Versions used in this tutorial:
* Icinga 2 (version: r2.5.4-1)
* Ubuntu 16.04.1 LTS (Xenial)
* PostgreSQL (version: 9.5.2)
* Apache 2 (version: 2.4.18)
* Php (version 7.0)

Depending on the versions you use, the commands and/or the path shown in this tutorial might be different.

All commands in this tutorial are made as root. You must be root or be able to use "sudo" command to install and configure Icinga.

The version of Icinga used (version 2) is referred sometimes as “Icinga” or “Icinga 2” accross the tutorial.

This tutorial is based on the following tutorials:
*[http://docs.icinga.org/icinga2/latest/doc/module/icinga2/chapter/getting-started Official Icinga 2 documentation]
*[https://github.com/Icinga/icingaweb2/blob/master/doc/02-Installation.md Official Icinga Web 2 installation documentation]
*[http://linoxide.com/ubuntu-how-to/install-icinga2-ubuntu-16-04 Linoxide "how to"]
*[https://lowendbox.com/blog/server-monitoring-with-icinga-2-part-1-the-server-ubuntu-host Lowendbox blog post]

For any comments, please write to ebarrier{at]itcollege[dot)ee.

==What is Icinga?==
Icinga 2 is an open source monitoring system which checks the availability of your network resources, notifies users of outages, and generates performance data for reporting.<ref>[http://docs.icinga.org/icinga2/latest/doc/module/icinga2/toc#!/icinga2/latest/doc/module/icinga2/chapter/about-icinga2#what-is-icinga2] Icinga2 official documentation</ref>

Icinga started as a Nagios fork and did quite well, mostly considering Icinga Web which was better than Nagios’ web interface. Icinga 2 is a complete rewrite and even adds a fancy new (optional) web interface which is responsive and customizable. On top of that, the communication between the monitoring server and the nodes it monitors has become more secure as NRPE has been ditched (it’s still available, just not prefered).<ref>[https://lowendbox.com/blog/server-monitoring-with-icinga-2-part-1-the-server-ubuntu-host] "Lowendbox" blog article about Icinga 2</ref>

Icinga is made of two parts - Icinga 2 and Icinga Web 2. The first one is the core of the software and the second is a web interface.

==Install Icinga 2 core==
Add Icinga's repository to the package management configuration.

<code>$ add-apt-repository ppa:formorer/icinga</code>

<code>$ apt update</code>

Install Icinga 2 package.

<code>$ apt install icinga2</code>

Check that Icinga is up and running

<code>$ service icinga2 status</code>

If it is not running, start it.

<code>$ service icinga2 start</code>

Make sure Icinga will start automatically on startup.

<code>$ systemctl enable icinga2.service</code>

==Install plugins==
===Nagios plugins===
To be able to check external services, Icinga needs monitoring plugins to know about them and to make sure they work properly. Available monitoring plugins are available on the [https://www.monitoring-plugins.org Monitoring Plugins Project website].

We install the main set of plugins that come from [https://www.nagios.org Nagios] monitoring solution.

''Note that Icinga service runs as user and group called "Nagios" (for historical reasons).''

<code>$ apt install nagios-plugins</code>

===Vim and Nano configuration syntax highlighting===
Icinga provides packages to highlight its configuration files using Nano and Vim utilities.

The package for Nano is included by default when installinIcinga2.

For Vim, do:

<pre>
$ apt install vim-icinga2 vim-addon-manager</code>
$ vim-addon-manager -w install icinga2
</pre>

==Install Apache web server==
Install Apache 2. Apache is a web server system that allows to access Icinga web interface.

<code>$ apt install apache2</code>

Apply a firewall rule to accept incoming tcp packets with destination port 80 (http). You may ignore this point if you have your own set of rules that you manage.

<pre>
$ iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ iptables-save
</pre>

==Install Icinga Web 2==
To install Icinga Web 2 package,add its repository to the package management system.

For other Ubuntu versions than Xenial, just replace “xenial” below with the desired distribution's code name (see the [http://packages.icinga.org/ubuntu packages list]).
<pre>
$ wget -O - http://packages.icinga.org/icinga.key | apt-key add -
$ add-apt-repository 'deb http://packages.icinga.org/ubuntu icinga-xenial main'
$ apt update
</pre>

Install Icinga Web 2.

<code>$ apt install icingaweb2</code>

==Install and configure PostgreSQL databases==
Icinga needs two databases to work: one main to store monitoring information (DB IDO: Database Icinga Data Output) and one to store Icinga users and groups information for its web interface.
We will install both of them manually.

===Install PostgreSQL===
Install PostgreSQL database system.

<code>$ apt install postgresql</code>

===Install IDO module for PostgreSQL===
Install Icinga IDO module for PostgreSQL.
It installs files and directories to enable the export and storage of monitoring information into a database.
We will install the database manually in our tutorial.

<code>$ apt install icinga2-ido-pgsql</code>

A wizard will start.

Say "'''No'''" to enable the IDO module for PostgreSQL, we do it manually later.

The wizard proposes to create and configure the database with "dbconfig-common". Choose “'''No'''” because we will do it manually (see below).

===Create Icinga users database===
Create the users database for Icinga.

First go to the /tmp directory because that is the default unix socket location for PostgreSQL.

<code>$ cd /tmp</code>

Create a role (similar to a user) for the database. The database will require to login and we choose a password. You can choose a different role name ("icingaweb") and a different password ("icingawebpass") than what is given as an example below. ''Remember them for later!''

<code>$ sudo -u postgres psql -c "CREATE ROLE icingaweb WITH LOGIN PASSWORD 'icingawebpass'"</code>

Create the database (“icingawebdb”) and we assign its owner as being “icingaweb” (created earlier) with UTF8 encoding.

<code>$ sudo -u postgres createdb -O icingaweb -E UTF8 icingawebdb</code>

===Create IDO database===
Create the main database for Icinga.

Make sure you are in the /tmp directory (default unix socket location for PostgreSQL).

<code>$ cd /tmp</code>

Create a role (similar to a user) for the database.

The database will require to login and we choose a password.

You can choose a different role name ("icingaido") and a different password ("icingaidopass") than what is given as an example below.

''Remember them for later!''

<code>$ sudo -u postgres psql -c "CREATE ROLE icingaido WITH LOGIN PASSWORD 'icingaidopass'"</code>

Create the database (“icingaidodb”) and we assign its owner as being “icingaido” (created earlier) with UTF8 encoding.

<code>$ sudo -u postgres createdb -O icingaido -E UTF8 icingaidodb</code>

Edit the file ''/etc/icinga2/features-available/ido-mysql.conf'' and insert the values you have chosen for the IDO database.

<pre>
object IdoMysqlConnection "ido-mysql" {
user = "icingaido",
password = "icingaidopass",
host = "localhost",
database = "icingaidodb"
}
</pre>

===Configure databases authentication===
PostgreSQL handles authentication to databases from a file which states which users can connect to which database using certain methods.
Previously we have created a roles and databases. We must tell PostgreSQL how these databases can be accessed and by whom.

Edit the pg_hba.conf in ''/etc/postgresql/*/main/pg_hba.conf'' and add the roles and databases we defined earlier user with md5 authentication method.
'md5' means that the user needs to authenticate with a password to access the database.

<pre>
# TYPE DATABASE USER ADDRESS METHOD
#icinga
local icingaidodb icingaido md5
host icingaidodb icingaido 127.0.0.1/32 md5
host icingaidodb icingaido ::1/128 md5

local icingawebdb icingaweb md5
host icingawebdb icingaweb 127.0.0.1/32 md5
host icingawebdb icingaweb ::1/128 md5
</pre>

Restart PostgreSQL

<code>$ service postgresql restart</code>

===Import database schemas===
So far Icinga can access both databases, but they are empty (not a single table, index, function).

Import the respective schemas for each of them.

'''''Import the web database schema'''''

This will populate the web database with tables and indexes,...
The password we setup for this role will be asked.

<source lang="bash">
$ psql -U icingaweb -d icingawebdb < /usr/share/icingaweb2/etc/schema/pgsql.schema.sql
</source>

<pre>
Password for user icingaweb:
</pre>

A list of statements such as “CREATE TABLE”, “CREATE INDEX” appears.

'''''Import the IDO database schema'''''

This will populate the IDO database with tables, indexes,...

<pre>
$ psql -U icingaido -d icingaidodb < /usr/share/icinga2-ido-pgsql/schema/pgsql.sql
Password for user icingaido:
</pre>

A long list of statements such as “CREATE FUNCTION”, “CREATE TABLE”, “CREATE INDEX” appears.

==Enable Icinga features==
Enable Icinga IDO for PostgreSQL and 'command' modules and restart Icinga.

<pre>
$ icinga2 feature enable ido-pgsql command
$ service icinga2 restart
</pre>

Check that ido-pgsql and command modules are enabled.

<code>$ icinga2 feature list</code>

By default the command module file is owned by the group "nagios" with read/write permissions. Add Apache user ("www-data") to the group "nagios" to enable sending commands to Icinga 2 through the web interface.

<code>$ usermod -a -G nagios www-data</code>

==Set up the web interface==
Open a browser and go to http://[server_ip]/icingaweb2/setup.

1. First is the welcome page asking to insert a token.

To get a token, do in your terminal <code>$ icingacli setup token create</code> and insert it on the page.

''Note: in case you need to see the token again, do <code>$ icingacli setup token show</code>.''

[[File:Icinga2 01 token.png|border|1000px|center]]

2. Choose the modules to install for Icinga Web 2.

For a normal usage, we suggest “Doc” and “Monitoring” modules.

[[File:Icinga2 02 modules.png|border|1000px|center]]

3. Icinga checks that all the requirements it needs are met. You may have some missing, in that case, you must fix them. We are not going to detail how to fix all of them but two that are likely to be missing.

[[File:Icinga2 03 modules incomplete.png|border|1000px|center]]

; '''“The PHP config ‘date.timezone’ is not defined”'''

:The page already guides you how to fix the Default TimeZone.

:Go to /etc/php/7.0/apache2/php.ini file, uncomment and set the line '''date.timezone =''' with your time zone.

:For example <code>date.timezone = Europe/Tallinn</code> (see the [http://php.net/manual/en/timezones.php list of php time zones]).

; '''“The PHP module PDO-PostgreSQL is missing”'''

:Install the missing module.<code>$ apt install php-pgsql</code>

:In /etc/php/7.0/apache2/php.ini, add these lines to enable the extension/module
<pre>
extension=pdo_pgsql.so
extension=pgsql.so
</pre>

Restart the web server to apply the new configuration

<code>$ service apache2 restart</code>

Click the button “Refresh” at the bottom of the page to check the the requirements are now met.

[[File:Icinga2 04 modules complete.png|border|1000px|center]]

4. Choose “Database” for authentication unless you specifically want to authenticate using LDAP or another way.

[[File:Icinga2 05 authentication.png|border|1000px|center]]

5. Enter the credentials that we set up for users and groups database, and check that the configuration is correct by clicking on “Validate configuration”.

[[File:Icinga2 06 database resource.png|border|1000px|center]]

6. Use the default backend name “icingaweb2”.

[[File:Icinga2 07 authentication backend.png|border|1000px|center]]

7. Choose the credentials that will be asked when you will log into Icinga’s web interface to access the monitoring dashboard.

'''Remember these credentials!''' (for point 16 below).

[[File:Icinga2 08 administration.png|border|1000px|center]]

8. Leave the default application and logging configuration unless you know what you are doing.

[[File:Icinga2 09 application configuration.png|border|1000px|center]]

9. Check that the configuration is correct and continue.

[[File:Icinga2 10 summary.png|border|1000px|center]]

10. You arrive to the configuration of the monitoring module.

[[File:Icinga2 11 monitoring welcome.png|border|1000px|center]]

11. Leave the defaults values for the monitoring backend ("IDO").

[[File:Icinga2 12 monitoring backend.png|border|1000px|center]]

12. Insert values you chose for the IDO database and check that the configuration is correct by clicking on “Validate configuration”.

''The values are also in the file /etc/icinga2/features-enabled/ido-pgsql.conf.''

[[File:Icinga2 13 monitoring IDO resource.png|border|1000px|center]]

13. Leave the defaults values for the command transport.

[[File:Icinga2 14 command transport.png|border|1000px|center]]

14. Leave the defaults values for the monitoring security.

[[File:Icinga2 15 monitoring security.png|border|1000px|center]]

15. Check that the configuration is correct and finish.

[[File:Icinga2 16 monitoring summary.png|border|1000px|center]]

[[File:Icinga2 17 congratulations.png|border|1000px|center]]

16. Login to Icinga 2 using the credentials on point 7.

[[File:Icinga2 18 login.png|border|300px|center]]

==Add nodes to Icinga 2==

===The server node===

In order to be able to add hosts securely, we have to go to the server and run the following command:

<pre>$ sudo icinga2 node wizard</pre>

This will start a wizard which will first ask you whether this is a satellite setup or not. Since this is the server or master you have to say ‘No’ here, to input an ‘n’:

Please specify if this is a satellite setup (‘n’ installs a master setup) [Y/n]: n

It then starts generating keys are certificates required for secured TLS communication. In addition to that, it adds these to the configuration, plus it ensures this server is listed as the master:

<pre>information/base: Writing private key to ‘/var/lib/icinga2/ca/ca.key’.
information/base: Writing X509 certificate to ‘/var/lib/icinga2/ca/ca.crt’.
information/cli: Initializing serial file in ‘/var/lib/icinga2/ca/serial.txt’.
information/cli: Generating new CSR in ‘/etc/icinga2/pki/icinga-server.csr’.
information/base: Writing private key to ‘/etc/icinga2/pki/icinga-server.key’.
information/base: Writing certificate signing request to ‘/etc/icinga2/pki/icinga-server.csr’.
information/base: Writing private key to ‘/etc/icinga2/pki/icinga-server.key’.
information/base: Writing certificate signing request to ‘/etc/icinga2/pki/icinga-server.csr’.
information/cli: Signing CSR with CA and writing certificate to ‘/etc/icinga2/pki/icinga-server.crt’.
information/cli: Copying CA certificate to ‘/etc/icinga2/pki/ca.crt’.
information/cli: Dumping config items to file ‘/etc/icinga2/zones.conf’.
information/cli: Created backup file ‘/etc/icinga2/zones.conf.orig’.</pre>

It then asks you for the host and port for the API. We have no reason to change these, so leave these empty:

<pre>Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []:</pre>

It then finalizes setting up this server as a master my editing some more configuration files:

<pre>information/cli: Enabling the APIlistener feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Created backup file ‘/etc/icinga2/features-available/api.conf.orig’.
information/cli: Updating constants.conf.
information/cli: Created backup file ‘/etc/icinga2/constants.conf.orig’.
information/cli: Updating constants file ‘/etc/icinga2/constants.conf’.
information/cli: Updating constants file ‘/etc/icinga2/constants.conf’.
Done.</pre>

Now restart your Icinga 2 daemon to finish the installation!

With that done, restart Icinga 2 in order to use the new settings:

<pre>$ sudo service icinga2 restart</pre>

And the master is good for now. Let’s move on to the host node!

===The host node===

On the host node, we’re first going to have to ensure the Icinga 2 repository is present:

<pre>$ add-apt-repository ppa:formorer/icinga</pre>

Press ENTER when it asks you to.

Note: If this command gives you an error, run ‘sudo apt-get install software-properties-common’ to get the ‘add-apt-repository’ command!

Once the repository has been added, update apt:

<pre>$ sudo apt-get update</pre>

And install Icinga 2:

<pre>$ sudo apt-get install icinga2</pre>

With that out of the way, we can initiate the same wizard as we did on the master:

<pre>$ sudo icinga2 node wizard</pre>

This time we answer ‘Yes’ when it asks us if this is a satellite setup by just hitting ENTER:

<pre>Please specify if this is a satellite setup (‘n’ installs a master setup) [Y/n]:</pre>

After which is starts a different wizard:

<pre>Starting the Node setup routine…
Please specifiy the common name (CN) [icinga-node]:
Please specifiy the local zone name [icinga-node]:</pre>

It asks you for the common name and the local zone name for this server. These default to the system’s hostname in fully qualified domain name format. These master uses the common name to connect to the server and the local zone name to identify it in configuration files. I just let these be.

It then goes on to ask you about your master node:

<pre>Please specify the master endpoint(s) this node should connect to:
Master Common Name (CN from your master setup): icinga-server
Do you want to establish a connection to the master from this node? [Y/n]:</pre>

Please enter the Common Name of your master node (in my case ‘icinga-server’). This is usually the hostname unless you’ve changed it. Then press ENTER when asked if you want to establish a connection to the master from this node. This triggers the next question:

<pre>Please fill out the master connection information:
Master endpoint host (Your master’s IP address or FQDN): icinga-server
Master endpoint port [5665]:
Add more master endpoints? [y/N]:</pre>

Enter the master’s IP address or Fully Qualified Domain Name (FQDN) here and accept the default port. Also press ENTER in order to not add more endpoints: we’re just working with one master right now.

Then it’s on to the connection for CSR auto-signing, the bit of magic that makes setting up a secure connection a bit easier for you:

<pre>Please specify the master connection for CSR auto-signing (defaults to master endpoint host):
Host [icinga-server]:
Port [5665]:</pre>

Accept the defaults here as well, because the master we have entered before is also our server for CSR auto-signing.

After this, Icinga 2 is going to save some configuration on the host node and start the setup of a secure connection. As part of this process the master is contacted:

<pre>information/base: Writing private key to ‘/etc/icinga2/pki/icinga-node.key’.
information/base: Writing X509 certificate to ‘/etc/icinga2/pki/icinga-node.crt’.
information/cli: Generating self-signed certifiate:
information/cli: Fetching public certificate from master (icinga-server, 5665):

information/cli: Writing trusted certificate to file ‘/etc/icinga2/pki/trusted-master.crt’.
information/cli: Stored trusted master certificate in ‘/etc/icinga2/pki/trusted-master.crt’.</pre>

The certificate that has been set up needs to be signed in order to prove that you’re actually in command of both servers and approve of this secure communication:

<pre>Please specify the request ticket generated on your Icinga 2 master.
(Hint: # icinga2 pki ticket –cn ‘icinga-node’):</pre>

This means you need to run the following command on the master:

<pre>$ sudo icinga2 pki ticket –cn ‘icinga-node’</pre>

And copy the output from that command, which looks like ‘ff84267fca3b0b29c4c88d94706c76f4247cac34’ to the host node.

<pre>information/cli: Processing self-signed certificate request. Ticket ‘ff84267fca3b0b29c4c88d94706c76f4247cac34’.

information/cli: Created backup file ‘/etc/icinga2/pki/icinga-node.crt.orig’.
information/cli: Writing signed certificate to file ‘/etc/icinga2/pki/icinga-node.crt’.
information/cli: Writing CA certificate to file ‘/etc/icinga2/pki/ca.crt’.</pre>

With all certificates signed and in place, we’re asked about the API again:

<pre>Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []:</pre>

Just like at the master, we’re not going to touch these here.

The wizard now asks you whether to accept the configuration and commands from the master:

<pre>Accept config from master? [y/N]: y
Accept commands from master? [y/N]: y</pre>

Select ‘Yes’ for both. Unfortunately, the Icinga 2 documentation is a bit fuzzy on this part. There are several ways to setup up a client, for example with a local configuration or as an execution bridge. I’m aiming for the latter of the two here: the master is in control and sends commands, the host node just executes them and returns the results. This is closest to what NRPE does and should keep all the data on the master.

With this done, everything is being put in place to make this work:

<pre>information/cli: Disabling the Notification feature.
Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Enabling the Apilistener feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Created backup file ‘/etc/icinga2/features-available/api.conf.orig’.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file ‘/etc/icinga2/zones.conf’.
information/cli: Created backup file ‘/etc/icinga2/zones.conf.orig’.
information/cli: Updating constants.conf.
information/cli: Created backup file ‘/etc/icinga2/constants.conf.orig’.
information/cli: Updating constants file ‘/etc/icinga2/constants.conf’.
information/cli: Updating constants file ‘/etc/icinga2/constants.conf’.
Done.

Now restart your Icinga 2 daemon to finish the installation!
</pre>
After which you need to restart Icinga 2 on the host node:

<pre>$ sudo service icinga2 restart</pre>

And it’s back to the master.
Back to the server node (the master)

With the host node set up properly, only a few things remain on the master to be set up. First of all, we want to list the nodes on the master to see if our new host node is in there:

<pre>$ sudo icinga2 node list</pre>

The output should include the node you’ve just added.

Then, we update the configuration on the master so the host node is being included in checks, or in other words is being added to the master:

<pre>$ sudo icinga2 node update-config</pre>

If it did not work first time try changing permission of icinga2 directory to 755 ( with -R ).

The only thing that remains right now is to reload Icinga 2:

<pre>$ sudo service icinga2 reload</pre>

==Summary from the author==
The installation is really difficult.

Although the official documentation is well written and gives detailed commands for different distributions and databases, it lacks crucial explanations to understand to the user what it is being done.

Here are a few problems we encountered:
# The installation documentation for [http://docs.icinga.org/icinga2/latest/doc/module/icinga2/chapter/getting-started Icinga 2] and [https://github.com/Icinga/icingaweb2/blob/master/doc/02-Installation.md Official Icinga Web 2] are not at the same place and are not consistent in their format and style.
# Icinga2 IDO package has a wizard to create and configure the IDO database (which non-experienced users will probably follow), but it is not absolutely clear in the documentation that if you follow the wizard, you do not need to create the IDO database manually afterwards.
# If you follow the wizard, the IDO database name and user will have default values. The user will only have to choose the password. But when the user arrives to web interface where he must enter the credentials of this database, there is no indication that he can find them in a configuration file.
# According to Icinga documentation, the users database can be created automatically by the web interface at the end of the procedure. But experience showed that it never worked (errors occur). The user is left with the documentation that does not explain how to create this users database manually (which we took a long time to figure out).
# In case of problem during installation, a user who is not familiar with his database system will have trouble debugging. The web interface does not provide useful solutions.

I would not recommend Icinga with the experience I have, unless you follow this guide.

==References==
{{reflist|30em}}

Splunk

2017-01-03T07:22:23Z

Itaal:

==== Splunk ====

[[File:Splunk.jpg]]

Splunk is a powerful log database that can be used for analysis of any sort of log data through its easy to use search engine. Security logs, Syslog, Web server logs and Windows logs are just the beginning. One of the great features of Splunk is that you can feed pretty much any log into it and start searching.
Splunk is not open source, it is commercial however it does have a Free option that allows up to 500mb of data to be added into the system per day. For larger volume than 500mb per day the licensing costs start to add up. Splunk installation under Ubuntu is so easy, you can fire up an instance to do ad-hoc analysis of static log
=== Why splunk ? ===
Their features site says it - to Collect and Index All Log Files while having very flexible data input choises. Good example of use is for Mashine Learning.
https://www.splunk.com/en_us/products/splunk-light/features.html
===Open Source Splunk Alternative ===
If you are interesting in a purely Open Source log search engine, take a look at Greylog2.
=== About Splunk Free===
Splunk Free is the totally free version of Splunk. The Free license lets you index up to 500 MB per day and will never expire.
The 500 MB limit refers to the amount of new data you can add (we call this indexing) per day. But you can keep adding data every day, storing as much as you want. For example, you could add 500 MB of data per day and eventually have 10 TB of data in Splunk Enterprise.

If you need more than 500 MB/day, you'll need to purchase an Enterprise license. See How Splunk licensing works for more information about licensing.
Splunk Free regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk Free continues to index your data, but disables search functionality until you are back down to 3 or fewer warnings in the 30 day period.
=== Is Splunk Free for you? ===
Splunk Free is designed for personal, ad hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500 MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets
Splunk Free lets you bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets.
=== What is included with Splunk Free? ===
Splunk Free is a single-user product. All Splunk Enterprise features are supported, with the following exceptions:
*Distributed search configurations (including search head clustering) are not available.
*Forwarding in TCP/HTTP formats is not available. This means you can forward data to other Splunk platform instances, but not to non-Splunk software.
*Deployment management capabilities are not available.
*Alerting (monitoring) is not available.
*Indexer clustering is not available.
*Report acceleration summaries are not available.
*While a Splunk Free instance can be used as a forwarder (to a Splunk Enterprise indexer) it cannot be the client of a deployment server.
*There is no authentication or user and role management when using Splunk Free. This means:
*There is no login. The command line or browser can access and control all aspects of Splunk Free with no user/password prompt.
*All accesses are treated as equivalent to the admin user. There is only one role (admin), and it is not configurable. You cannot add more roles or create user accounts.
*Searches are run against all public indexes, 'index=*'.
*Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported.
*The capability system is disabled. All available capabilities are enabled for all users accessing Splunk Free.

=== Ways you can configure Splunk software ===
Splunk software maintains its configuration information in a set of configuration files. You can configure Splunk by using any (or all!) of these methods:
*Use Splunk Web.
*Use Splunk's Command Line Interface (CLI) commands.
*Edit Splunk's configuration files directly.
*Use App setup screens that use the Splunk REST API to update configurations.
All of these methods change the contents of the underlying configuration files. You may find different methods handy in different situations.
===Use Splunk Web===
You can perform most common configuration tasks in Splunk Web. Splunk Web runs by default on port 8000 of the host on which it is installed:
If you're running Splunk on your local machine, the URL to access Splunk Web is http://localhost:8000.
If you're running Splunk on a remote machine, the URL to access Splunk Web is http://<hostname>:8000, where <hostname> is the name of the machine Splunk is running on.
Administration menus can be found under Settings in the Splunk Web menu bar.
===Edit configuration files===
Most of Splunk's configuration information is stored in .conf files. These files are located under your Splunk installation directory (usually referred to in the documentation as $SPLUNK_HOME) under /etc/system. In most cases you can copy these files to a local directory and make changes to these files with your preferred text editor.
===Use Splunk CLI===
Many configuration options are available via the CLI. These options are documented in the CLI chapter in this manual. You can also get CLI help reference with the help command while Splunk is running:
'''./splunk help'''

=== Feed Splunk Data and Search!===
Start getting data in the system and then you can search on that data. Data can be input from simple files for some one off analysis, it can read known log files or can listen on a port similar to a syslog server. It is very flexible, for example running it on a TCP port you could even use netcat to pipe a file over the network into Splunk server, or have a syslog server forward some of its logs to the Splunk instance. This would leave you with your existing syslog infrastructure intact for archival purposes but you also have the Splunk instance for easy analysis.
Now you are up to the point where it depends on your network and requirements, so think about how you are going to use it, feed it some data and start searching for stuff. The stuff could be configuration issues, errors, utilization trends or security events. If you want to do some easy testing, just grab a web server log file or other log and feed it in directly with the a file or directory option.

===Configure the universal forwarder===
Before a forwarder can forward data, it must have a configuration. A configuration:
*Tells the forwarder what data to send.
*Tells it where to send the data.

Because the universal forwarder does not have Splunk Web, you must give the forwarder a configuration either during the installation (on Windows systems only) or later, as a separate step. To perform post-installation configuration, you can:
*Use the CLI. The CLI lets you do nearly all configuration in a small number of steps, but does not give you full access to the feature set of the forwarder.
*Create or modify configuration files on the forwarder directly.
*Use a deployment server. The deployment server can ease distribution of configurations, but does not make a forwarder forward data by itself. You must use the deployment server to deliver configurations to the forwarders so that they collect the data you want and send it to the place you want.

=== About configuring the universal forwarder with configuration files ===
Configuration files are text files that the universal forwarder reads when it starts up or when you reload a configuration. Forwarders must read configuration files to know where to get and send data. These files give you full access to the forwarder feature set, but editing configuration files can be difficult or mistake-prone at times.
Key configuration files are:
*'''inputs.conf''' controls how the forwarder collects data.
*'''outputs.conf''' controls how the forwarder sends data to an indexer or other forwarder.
*'''server.conf''' for connection and performance tuning.
*'''deploymentclient.conf''' for connecting to a deployment server.
You make changes to configuration files by editing them with a text editor. You can use any editor that you want as long as it can write files in ASCII/UTF-8 format.
The forwarder works with configurations for forwarding data in outputs.conf in $SPLUNK_HOME/etc/system/local/). See Configure forwarding with outputs.conf.
The universal forwarder has a SplunkUniversalForwarder app, which includes preconfigured settings that let the forwarder run in a streamlined mode. Do not edit any configuration files within that app unless you receive specific instructions.
===Best practices for deploying configuration updates across universal forwarders===
You can use the following methods to deploy configuration updates across your set of universal forwarders:
*Edit or copy the configuration files for each universal forwarder manually (This is only useful for small deployments.)
*Use the Splunk deployment server to push configured apps to your set of universal forwarders.
*Use your own deployment tools (puppet or Chef on *nix or System Center Configuration Manager on Windows) to push configuration changes.
=== Configure the universal forwarder from the CLI ===
The CLI lets you configure most forwarding parameters without having to edit configuration files. It does not give you full access to all forwarding parameters, and you must edit configuration files in those cases.
When you make configuration changes with the CLI, the universal forwarder writes the configuration files. This prevents typos and other mistakes that can occur when you edit configuration files directly.
The forwarder writes configurations for forwarding data to outputs.conf in $SPLUNK_HOME/etc/system/local/).
Examples for using the CLI to configure a universal forwarder
Following are example procedures on how to configure a universal forwarder to connect to a receiving indexer.

===Configure the universal forwarder to connect to a receiving indexer===

From a shell or command prompt on the forwarder, run the command:
*'''./splunk add forward-server <host name or ip address>:<listening port>'''

For example, to connect to the receiving indexer with the hostname idx.mycompany.com and that host listens on port 9997 for forwarders, type in:
*'''./splunk add forward-server idx1.mycompany.com:9997'''

===Configure the universal forwarder to connect to a deployment server===

From a shell or command prompt on the forwarder, run the command:
*'''./splunk set deploy-poll <host name or ip address>:<management port>'''

For example, if you want to connect to the deployment server with the hostname ds1.mycompany.com on the default management port of 8089, type in:
*'''./splunk set deploy-poll ds1.mycompany.com:8089'''

===Configure a data input on the forwarder===
Determine what data you want to collect.
*From a shell or command prompt on the forwarder, run the command that enables that data input. For example, to monitor the /var/log directory on the host with the universal forwarder installed, type in:
'''./splunk add monitor /var/log'''
*The forwarder asks you to authenticate and begins monitoring the specified directory immediately after you log in.
'''Restart''' the universal forwarder
Some configuration changes might require that you restart the forwarder.

To restart the universal forwarder, use the same CLI restart command that you use to restart a full Splunk Enterprise instance:

On Windows: Go to %SPLUNK_HOME%\bin and run this command:
*'''splunk restart'''

On *nix systems: From a shell prompt on the host, go to $SPLUNK_HOME/bin, and run this command:
*'''./splunk restart'''
===Configure forwarding with outputs.conf===
The '''outputs.conf''' file defines how forwarders send data to receivers. You can specify some output configurations at installation time (Windows universal forwarders only) or the CLI, but most advanced configuration settings require that you edit '''outputs.conf'''.
The topics that describe various forwarding topologies, such as load balancing and intermediate forwarding, provide detailed examples on configuring outputs.conf to support those topologies.
Although outputs.conf is a required file for configuring forwarders, it addresses only the outputs from the forwarder, where you want the forwarder to send the data it collects. To specify the data that you want to collect from the forwarder, you must separately configure the inputs, as you would for any Splunk instance.
===Edit outputs.conf to configure forwarding===
This procedure details the steps you must take to edit the default '''outputs.conf''' which is in $SPLUNK_HOME/etc/system/local.

#On the host that forwards that data that you want to collect, open a shell or command prompt or PowerShell window.
#Go to the configuration directory for the forwarder.
Unix
*cd $SPLUNK_HOME/etc/system/local
Windows
*cd %SPLUNK_HOME%\etc\system\local
#Open outputs.conf for editing with a text editor.
Unix
*vi outputs.conf
Windows
*notepad outputs.conf
Edit outputs.conf. Add a minimum of at least one forwarding target group or a single receiving host.
#Save the outputs.conf file and close it.
#Restart the universal forwarder to complete your changes.
Unix
*cd $SPLUNK_HOME/bin
*./splunk restart
Windows
*cd %SPLUNK_HOME%\bin
*.\splunk restart

===TL;DR===

==Install Splunk==

#Run the dpkg command to install Splunk Light into the default directory.

pkg -i splunk_package_name.deb

You cannot install the DEB package into another directory.

#Start Splunk.

./splunk start --accept-license

==Configure the universal forwarder to connect to a deployment server==

#For Forwarder, from a shell or command prompt on the forwarder, run the command:

./splunk set deploy-poll <host name or ip address>:<management port>

#Configure a data input on the forwarder

./splunk add monitor /var/log

#Restart the universal forwarder
./splunk restart

==Configure your inputs==

#Edit inputs.conf

Ex.
# The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10.
# All data is assigned the host "webhead-1", the sourcetype "access_common" and the
# the source "//10.1.1.10/var/log/apache/access.log".

[tcp://10.1.1.10:9995]
host = webhead-1
sourcetype = access_common
source = //10.1.1.10/var/log/apache/access.log

More examples and info.
http://docs.splunk.com/Documentation/Splunk/6.5.1/admin/Inputsconf
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitorfilesanddirectorieswithinputs.conf

==Splunk Web==

#Login to Splunk Web

The Splunk Web interface is at http://localhost:8000

#Enter credentsials

username: admin
password: changeme

Splunk

2017-01-02T15:14:25Z

Itaal:

==== Splunk ====

[[File:Splunk.jpg]]

Splunk is a powerful log database that can be used for analysis of any sort of log data through its easy to use search engine. Security logs, Syslog, Web server logs and Windows logs are just the beginning. One of the great features of Splunk is that you can feed pretty much any log into it and start searching.
Splunk is not open source, it is commercial however it does have a Free option that allows up to 500mb of data to be added into the system per day. For larger volume than 500mb per day the licensing costs start to add up. Splunk installation under Ubuntu is so easy, you can fire up an instance to do ad-hoc analysis of static log
=== Why splunk ? ===
Their features site says it - to Collect and Index All Log Files while having very flexible data input choises. Good example of use is for Mashine Learning.
https://www.splunk.com/en_us/products/splunk-light/features.html
===Open Source Splunk Alternative ===
If you are interesting in a purely Open Source log search engine, take a look at Greylog2.
=== About Splunk Free===
Splunk Free is the totally free version of Splunk. The Free license lets you index up to 500 MB per day and will never expire.
The 500 MB limit refers to the amount of new data you can add (we call this indexing) per day. But you can keep adding data every day, storing as much as you want. For example, you could add 500 MB of data per day and eventually have 10 TB of data in Splunk Enterprise.

If you need more than 500 MB/day, you'll need to purchase an Enterprise license. See How Splunk licensing works for more information about licensing.
Splunk Free regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk Free continues to index your data, but disables search functionality until you are back down to 3 or fewer warnings in the 30 day period.
=== Is Splunk Free for you? ===
Splunk Free is designed for personal, ad hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500 MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets
Splunk Free lets you bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets.
=== What is included with Splunk Free? ===
Splunk Free is a single-user product. All Splunk Enterprise features are supported, with the following exceptions:
*Distributed search configurations (including search head clustering) are not available.
*Forwarding in TCP/HTTP formats is not available. This means you can forward data to other Splunk platform instances, but not to non-Splunk software.
*Deployment management capabilities are not available.
*Alerting (monitoring) is not available.
*Indexer clustering is not available.
*Report acceleration summaries are not available.
*While a Splunk Free instance can be used as a forwarder (to a Splunk Enterprise indexer) it cannot be the client of a deployment server.
*There is no authentication or user and role management when using Splunk Free. This means:
*There is no login. The command line or browser can access and control all aspects of Splunk Free with no user/password prompt.
*All accesses are treated as equivalent to the admin user. There is only one role (admin), and it is not configurable. You cannot add more roles or create user accounts.
*Searches are run against all public indexes, 'index=*'.
*Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported.
*The capability system is disabled. All available capabilities are enabled for all users accessing Splunk Free.

=== Ways you can configure Splunk software ===
Splunk software maintains its configuration information in a set of configuration files. You can configure Splunk by using any (or all!) of these methods:
*Use Splunk Web.
*Use Splunk's Command Line Interface (CLI) commands.
*Edit Splunk's configuration files directly.
*Use App setup screens that use the Splunk REST API to update configurations.
*All of these methods change the contents of the underlying configuration files. You may find different methods handy in different situations.
===Use Splunk Web===
You can perform most common configuration tasks in Splunk Web. Splunk Web runs by default on port 8000 of the host on which it is installed:
If you're running Splunk on your local machine, the URL to access Splunk Web is http://localhost:8000.
If you're running Splunk on a remote machine, the URL to access Splunk Web is http://<hostname>:8000, where <hostname> is the name of the machine Splunk is running on.
Administration menus can be found under Settings in the Splunk Web menu bar. Most tasks in the Splunk documentation set are described for Splunk Web.
===Edit configuration files===
Most of Splunk's configuration information is stored in .conf files. These files are located under your Splunk installation directory (usually referred to in the documentation as $SPLUNK_HOME) under /etc/system. In most cases you can copy these files to a local directory and make changes to these files with your preferred text editor.
===Use Splunk CLI===
Many configuration options are available via the CLI. These options are documented in the CLI chapter in this manual. You can also get CLI help reference with the help command while Splunk is running:
./splunk help

=== Feed Splunk Data and Search!===
Start getting data in the system and then you can search on that data. Data can be input from simple files for some one off analysis, it can read known log files or can listen on a port similar to a syslog server. It is very flexible, for example running it on a TCP port you could even use netcat to pipe a file over the network into Splunk server, or have a syslog server forward some of its logs to the Splunk instance. This would leave you with your existing syslog infrastructure intact for archival purposes but you also have the Splunk instance for easy analysis.
Now you are up to the point where it depends on your network and requirements, so think about how you are going to use it, feed it some data and start searching for stuff. The stuff could be configuration issues, errors, utilization trends or security events. If you want to do some easy testing, just grab a web server log file or other log and feed it in directly with the a file or directory option.

===Configure the universal forwarder===
Before a forwarder can forward data, it must have a configuration. A configuration:
*Tells the forwarder what data to send.
*Tells it where to send the data.

Because the universal forwarder does not have Splunk Web, you must give the forwarder a configuration either during the installation (on Windows systems only) or later, as a separate step. To perform post-installation configuration, you can:
*Use the CLI. The CLI lets you do nearly all configuration in a small number of steps, but does not give you full access to the feature set of the forwarder.
*Create or modify configuration files on the forwarder directly.
*Use a deployment server. The deployment server can ease distribution of configurations, but does not make a forwarder forward data by itself. You must use the deployment server to deliver configurations to the forwarders so that they collect the data you want and send it to the place you want.

=== About configuring the universal forwarder with configuration files ===
Configuration files are text files that the universal forwarder reads when it starts up or when you reload a configuration. Forwarders must read configuration files to know where to get and send data. These files give you full access to the forwarder feature set, but editing configuration files can be difficult or mistake-prone at times. See "About configuration files" and "Configuration file precedence" in the Splunk Enterprise Admin manual, for details on how configuration files work.
Key configuration files are:
'''inputs.conf''' controls how the forwarder collects data.
'''outputs.conf''' controls how the forwarder sends data to an indexer or other forwarder.
'''server.conf''' for connection and performance tuning.
'''deploymentclient.conf''' for connecting to a deployment server.
You make changes to configuration files by editing them with a text editor. You can use any editor that you want as long as it can write files in ASCII/UTF-8 format.
The forwarder works with configurations for forwarding data in outputs.conf in $SPLUNK_HOME/etc/system/local/). See Configure forwarding with outputs.conf.
The universal forwarder has a SplunkUniversalForwarder app, which includes preconfigured settings that let the forwarder run in a streamlined mode. Do not edit any configuration files within that app unless you receive specific instructions.
===Best practices for deploying configuration updates across universal forwarders===
You can use the following methods to deploy configuration updates across your set of universal forwarders:
*Edit or copy the configuration files for each universal forwarder manually (This is only useful for small deployments.)
*Use the Splunk deployment server to push configured apps to your set of universal forwarders.
*Use your own deployment tools (puppet or Chef on *nix or System Center Configuration Manager on Windows) to push configuration changes.
=== Configure the universal forwarder from the CLI ===
The CLI lets you configure most forwarding parameters without having to edit configuration files. It does not give you full access to all forwarding parameters, and you must edit configuration files in those cases.
When you make configuration changes with the CLI, the universal forwarder writes the configuration files. This prevents typos and other mistakes that can occur when you edit configuration files directly.
The forwarder writes configurations for forwarding data to outputs.conf in $SPLUNK_HOME/etc/system/local/).
Examples for using the CLI to configure a universal forwarder
Following are example procedures on how to configure a universal forwarder to connect to a receiving indexer.
Configure the universal forwarder to connect to a receiving indexer
From a shell or command prompt on the forwarder, run the command:
'''./splunk add forward-server <host name or ip address>:<listening port>'''
For example, to connect to the receiving indexer with the hostname idx.mycompany.com and that host listens on port 9997 for forwarders, type in:
'''./splunk add forward-server idx1.mycompany.com:9997'''
Configure the universal forwarder to connect to a deployment server
From a shell or command prompt on the forwarder, run the command:
'''./splunk set deploy-poll <host name or ip address>:<management port>'''
For example, if you want to connect to the deployment server with the hostname ds1.mycompany.com on the default management port of 8089, type in:
'''./splunk set deploy-poll ds1.mycompany.com:8089'''
===Configure a data input on the forwarder===
The Splunk Enterprise Getting Data In manual has information on what data a universal forwarder can collect.
1. Determine what data you want to collect.
2. From a shell or command prompt on the forwarder, run the command that enables that data input. For example, to monitor the /var/log directory on the host with the universal forwarder installed, type in:
'''./splunk add monitor /var/log'''
The forwarder asks you to authenticate and begins monitoring the specified directory immediately after you log in.
'''Restart''' the universal forwarder
Some configuration changes might require that you restart the forwarder.
To restart the universal forwarder, use the same CLI restart command that you use to restart a full Splunk Enterprise instance:
On Windows: Go to %SPLUNK_HOME%\bin and run this command:
'''splunk restart'''
On *nix systems: From a shell prompt on the host, go to $SPLUNK_HOME/bin, and run this command:
'''./splunk restart'''
===Configure forwarding with outputs.conf===
The '''outputs.conf''' file defines how forwarders send data to receivers. You can specify some output configurations at installation time (Windows universal forwarders only) or the CLI, but most advanced configuration settings require that you edit '''outputs.conf'''.
The topics that describe various forwarding topologies, such as load balancing and intermediate forwarding, provide detailed examples on configuring outputs.conf to support those topologies.
Although outputs.conf is a required file for configuring forwarders, it addresses only the outputs from the forwarder, where you want the forwarder to send the data it collects. To specify the data that you want to collect from the forwarder, you must separately configure the inputs, as you would for any Splunk instance. See Add data and configure inputs in Getting Data In.
===Edit outputs.conf to configure forwarding===
This procedure details the steps you must take to edit the default '''outputs.conf''' which is in $SPLUNK_HOME/etc/system/local.

1. On the host that forwards that data that you want to collect, open a shell or command prompt or PowerShell window.
2. Go to the configuration directory for the forwarder.
Unix
cd $SPLUNK_HOME/etc/system/local
Windows
cd %SPLUNK_HOME%\etc\system\local
3. Open outputs.conf for editing with a text editor.
Unix
vi outputs.conf
Windows
notepad outputs.conf
4. Edit outputs.conf. Add a minimum of at least one forwarding target group or a single receiving host.
5. Save the outputs.conf file and close it.
6. Restart the universal forwarder to complete your changes.
Unix
cd $SPLUNK_HOME/bin
./splunk restart
Windows
cd %SPLUNK_HOME%\bin
.\splunk restart

File:Splunk.jpg

2017-01-02T15:13:25Z

Itaal:

Splunk

2017-01-02T15:12:28Z

Itaal:

==== Splunk ====

Splunk is a powerful log database that can be used for analysis of any sort of log data through its easy to use search engine. Security logs, Syslog, Web server logs and Windows logs are just the beginning. One of the great features of Splunk is that you can feed pretty much any log into it and start searching.
Splunk is not open source, it is commercial however it does have a Free option that allows up to 500mb of data to be added into the system per day. For larger volume than 500mb per day the licensing costs start to add up. Splunk installation under Ubuntu is so easy, you can fire up an instance to do ad-hoc analysis of static log
=== Why splunk ? ===
Their features site says it - to Collect and Index All Log Files while having very flexible data input choises. Good example of use is for Mashine Learning.
https://www.splunk.com/en_us/products/splunk-light/features.html
===Open Source Splunk Alternative ===
If you are interesting in a purely Open Source log search engine, take a look at Greylog2.
=== About Splunk Free===
Splunk Free is the totally free version of Splunk. The Free license lets you index up to 500 MB per day and will never expire.
The 500 MB limit refers to the amount of new data you can add (we call this indexing) per day. But you can keep adding data every day, storing as much as you want. For example, you could add 500 MB of data per day and eventually have 10 TB of data in Splunk Enterprise.

If you need more than 500 MB/day, you'll need to purchase an Enterprise license. See How Splunk licensing works for more information about licensing.
Splunk Free regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk Free continues to index your data, but disables search functionality until you are back down to 3 or fewer warnings in the 30 day period.
=== Is Splunk Free for you? ===
Splunk Free is designed for personal, ad hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500 MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets
Splunk Free lets you bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets.
=== What is included with Splunk Free? ===
Splunk Free is a single-user product. All Splunk Enterprise features are supported, with the following exceptions:
*Distributed search configurations (including search head clustering) are not available.
*Forwarding in TCP/HTTP formats is not available. This means you can forward data to other Splunk platform instances, but not to non-Splunk software.
*Deployment management capabilities are not available.
*Alerting (monitoring) is not available.
*Indexer clustering is not available.
*Report acceleration summaries are not available.
*While a Splunk Free instance can be used as a forwarder (to a Splunk Enterprise indexer) it cannot be the client of a deployment server.
*There is no authentication or user and role management when using Splunk Free. This means:
*There is no login. The command line or browser can access and control all aspects of Splunk Free with no user/password prompt.
*All accesses are treated as equivalent to the admin user. There is only one role (admin), and it is not configurable. You cannot add more roles or create user accounts.
*Searches are run against all public indexes, 'index=*'.
*Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported.
*The capability system is disabled. All available capabilities are enabled for all users accessing Splunk Free.

=== Ways you can configure Splunk software ===
Splunk software maintains its configuration information in a set of configuration files. You can configure Splunk by using any (or all!) of these methods:
*Use Splunk Web.
*Use Splunk's Command Line Interface (CLI) commands.
*Edit Splunk's configuration files directly.
*Use App setup screens that use the Splunk REST API to update configurations.
*All of these methods change the contents of the underlying configuration files. You may find different methods handy in different situations.
===Use Splunk Web===
You can perform most common configuration tasks in Splunk Web. Splunk Web runs by default on port 8000 of the host on which it is installed:
If you're running Splunk on your local machine, the URL to access Splunk Web is http://localhost:8000.
If you're running Splunk on a remote machine, the URL to access Splunk Web is http://<hostname>:8000, where <hostname> is the name of the machine Splunk is running on.
Administration menus can be found under Settings in the Splunk Web menu bar. Most tasks in the Splunk documentation set are described for Splunk Web.
===Edit configuration files===
Most of Splunk's configuration information is stored in .conf files. These files are located under your Splunk installation directory (usually referred to in the documentation as $SPLUNK_HOME) under /etc/system. In most cases you can copy these files to a local directory and make changes to these files with your preferred text editor.
===Use Splunk CLI===
Many configuration options are available via the CLI. These options are documented in the CLI chapter in this manual. You can also get CLI help reference with the help command while Splunk is running:
./splunk help

=== Feed Splunk Data and Search!===
Start getting data in the system and then you can search on that data. Data can be input from simple files for some one off analysis, it can read known log files or can listen on a port similar to a syslog server. It is very flexible, for example running it on a TCP port you could even use netcat to pipe a file over the network into Splunk server, or have a syslog server forward some of its logs to the Splunk instance. This would leave you with your existing syslog infrastructure intact for archival purposes but you also have the Splunk instance for easy analysis.
Now you are up to the point where it depends on your network and requirements, so think about how you are going to use it, feed it some data and start searching for stuff. The stuff could be configuration issues, errors, utilization trends or security events. If you want to do some easy testing, just grab a web server log file or other log and feed it in directly with the a file or directory option.

===Configure the universal forwarder===
Before a forwarder can forward data, it must have a configuration. A configuration:
*Tells the forwarder what data to send.
*Tells it where to send the data.

Because the universal forwarder does not have Splunk Web, you must give the forwarder a configuration either during the installation (on Windows systems only) or later, as a separate step. To perform post-installation configuration, you can:
*Use the CLI. The CLI lets you do nearly all configuration in a small number of steps, but does not give you full access to the feature set of the forwarder.
*Create or modify configuration files on the forwarder directly.
*Use a deployment server. The deployment server can ease distribution of configurations, but does not make a forwarder forward data by itself. You must use the deployment server to deliver configurations to the forwarders so that they collect the data you want and send it to the place you want.

=== About configuring the universal forwarder with configuration files ===
Configuration files are text files that the universal forwarder reads when it starts up or when you reload a configuration. Forwarders must read configuration files to know where to get and send data. These files give you full access to the forwarder feature set, but editing configuration files can be difficult or mistake-prone at times. See "About configuration files" and "Configuration file precedence" in the Splunk Enterprise Admin manual, for details on how configuration files work.
Key configuration files are:
'''inputs.conf''' controls how the forwarder collects data.
'''outputs.conf''' controls how the forwarder sends data to an indexer or other forwarder.
'''server.conf''' for connection and performance tuning.
'''deploymentclient.conf''' for connecting to a deployment server.
You make changes to configuration files by editing them with a text editor. You can use any editor that you want as long as it can write files in ASCII/UTF-8 format.
The forwarder works with configurations for forwarding data in outputs.conf in $SPLUNK_HOME/etc/system/local/). See Configure forwarding with outputs.conf.
The universal forwarder has a SplunkUniversalForwarder app, which includes preconfigured settings that let the forwarder run in a streamlined mode. Do not edit any configuration files within that app unless you receive specific instructions.
===Best practices for deploying configuration updates across universal forwarders===
You can use the following methods to deploy configuration updates across your set of universal forwarders:
*Edit or copy the configuration files for each universal forwarder manually (This is only useful for small deployments.)
*Use the Splunk deployment server to push configured apps to your set of universal forwarders.
*Use your own deployment tools (puppet or Chef on *nix or System Center Configuration Manager on Windows) to push configuration changes.
=== Configure the universal forwarder from the CLI ===
The CLI lets you configure most forwarding parameters without having to edit configuration files. It does not give you full access to all forwarding parameters, and you must edit configuration files in those cases.
When you make configuration changes with the CLI, the universal forwarder writes the configuration files. This prevents typos and other mistakes that can occur when you edit configuration files directly.
The forwarder writes configurations for forwarding data to outputs.conf in $SPLUNK_HOME/etc/system/local/).
Examples for using the CLI to configure a universal forwarder
Following are example procedures on how to configure a universal forwarder to connect to a receiving indexer.
Configure the universal forwarder to connect to a receiving indexer
From a shell or command prompt on the forwarder, run the command:
'''./splunk add forward-server <host name or ip address>:<listening port>'''
For example, to connect to the receiving indexer with the hostname idx.mycompany.com and that host listens on port 9997 for forwarders, type in:
'''./splunk add forward-server idx1.mycompany.com:9997'''
Configure the universal forwarder to connect to a deployment server
From a shell or command prompt on the forwarder, run the command:
'''./splunk set deploy-poll <host name or ip address>:<management port>'''
For example, if you want to connect to the deployment server with the hostname ds1.mycompany.com on the default management port of 8089, type in:
'''./splunk set deploy-poll ds1.mycompany.com:8089'''
===Configure a data input on the forwarder===
The Splunk Enterprise Getting Data In manual has information on what data a universal forwarder can collect.
1. Determine what data you want to collect.
2. From a shell or command prompt on the forwarder, run the command that enables that data input. For example, to monitor the /var/log directory on the host with the universal forwarder installed, type in:
'''./splunk add monitor /var/log'''
The forwarder asks you to authenticate and begins monitoring the specified directory immediately after you log in.
'''Restart''' the universal forwarder
Some configuration changes might require that you restart the forwarder.
To restart the universal forwarder, use the same CLI restart command that you use to restart a full Splunk Enterprise instance:
On Windows: Go to %SPLUNK_HOME%\bin and run this command:
'''splunk restart'''
On *nix systems: From a shell prompt on the host, go to $SPLUNK_HOME/bin, and run this command:
'''./splunk restart'''
===Configure forwarding with outputs.conf===
The '''outputs.conf''' file defines how forwarders send data to receivers. You can specify some output configurations at installation time (Windows universal forwarders only) or the CLI, but most advanced configuration settings require that you edit '''outputs.conf'''.
The topics that describe various forwarding topologies, such as load balancing and intermediate forwarding, provide detailed examples on configuring outputs.conf to support those topologies.
Although outputs.conf is a required file for configuring forwarders, it addresses only the outputs from the forwarder, where you want the forwarder to send the data it collects. To specify the data that you want to collect from the forwarder, you must separately configure the inputs, as you would for any Splunk instance. See Add data and configure inputs in Getting Data In.
===Edit outputs.conf to configure forwarding===
This procedure details the steps you must take to edit the default '''outputs.conf''' which is in $SPLUNK_HOME/etc/system/local.

1. On the host that forwards that data that you want to collect, open a shell or command prompt or PowerShell window.
2. Go to the configuration directory for the forwarder.
Unix
cd $SPLUNK_HOME/etc/system/local
Windows
cd %SPLUNK_HOME%\etc\system\local
3. Open outputs.conf for editing with a text editor.
Unix
vi outputs.conf
Windows
notepad outputs.conf
4. Edit outputs.conf. Add a minimum of at least one forwarding target group or a single receiving host.
5. Save the outputs.conf file and close it.
6. Restart the universal forwarder to complete your changes.
Unix
cd $SPLUNK_HOME/bin
./splunk restart
Windows
cd %SPLUNK_HOME%\bin
.\splunk restart

Splunk

2017-01-02T14:45:50Z

Itaal: Created page with " ==== Splunk ==== Splunk is a powerful log database that can be used for analysis of any sort of log data through its easy to use search engine. Security logs, Syslog, Web..."

==== Splunk ====

Splunk is a powerful log database that can be used for analysis of any sort of log data through its easy to use search engine. Security logs, Syslog, Web server logs and Windows logs are just the beginning. One of the great features of Splunk is that you can feed pretty much any log into it and start searching.
Splunk is not open source, it is commercial however it does have a Free option that allows up to 500mb of data to be added into the system per day. For larger volume than 500mb per day the licensing costs start to add up. Splunk installation under Ubuntu is so easy, you can fire up an instance to do ad-hoc analysis of static log files.

=== Why splunk ? ====
Their features site says it - to Collect and Index All Log Files while having very flexible data input choises. Good example of use is for Mashine Learning.
https://www.splunk.com/en_us/products/splunk-light/features.html
Open Source Splunk Alternative
If you are interesting in a purely Open Source log search engine, take a look at Greylog2.
=== About Splunk Free===
Splunk Free is the totally free version of Splunk. The Free license lets you index up to 500 MB per day and will never expire.
The 500 MB limit refers to the amount of new data you can add (we call this indexing) per day. But you can keep adding data every day, storing as much as you want. For example, you could add 500 MB of data per day and eventually have 10 TB of data in Splunk Enterprise.
If you need more than 500 MB/day, you'll need to purchase an Enterprise license. See How Splunk licensing works for more information about licensing.
Splunk Free regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk Free continues to index your data, but disables search functionality until you are back down to 3 or fewer warnings in the 30 day period.
=== Is Splunk Free for you? ===
Splunk Free is designed for personal, ad hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500 MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets--Splunk Free lets you bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets.
=== What is included with Splunk Free? ===
Splunk Free is a single-user product. All Splunk Enterprise features are supported, with the following exceptions:
*Distributed search configurations (including search head clustering) are not available.
*Forwarding in TCP/HTTP formats is not available. This means you can forward data to other Splunk platform instances, but not to non-Splunk software.
*Deployment management capabilities are not available.
*Alerting (monitoring) is not available.
*Indexer clustering is not available.
*Report acceleration summaries are not available.
*While a Splunk Free instance can be used as a forwarder (to a Splunk Enterprise indexer) it cannot be the client of a deployment server.
*There is no authentication or user and role management when using Splunk Free. This means:
*There is no login. The command line or browser can access and control all aspects of Splunk Free with no user/password prompt.
*All accesses are treated as equivalent to the admin user. There is only one role (admin), and it is not configurable. You cannot add more roles or create user accounts.
*Searches are run against all public indexes, 'index=*'.
*Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported.
*The capability system is disabled. All available capabilities are enabled for all users accessing Splunk Free.

=== Ways you can configure Splunk software ===
Splunk software maintains its configuration information in a set of configuration files. You can configure Splunk by using any (or all!) of these methods:
*Use Splunk Web.
*Use Splunk's Command Line Interface (CLI) commands.
*Edit Splunk's configuration files directly.
*Use App setup screens that use the Splunk REST API to update configurations.
*All of these methods change the contents of the underlying configuration files. You may find different methods handy in different situations.
==Use Splunk Web==
You can perform most common configuration tasks in Splunk Web. Splunk Web runs by default on port 8000 of the host on which it is installed:
If you're running Splunk on your local machine, the URL to access Splunk Web is http://localhost:8000.
If you're running Splunk on a remote machine, the URL to access Splunk Web is http://<hostname>:8000, where <hostname> is the name of the machine Splunk is running on.
Administration menus can be found under Settings in the Splunk Web menu bar. Most tasks in the Splunk documentation set are described for Splunk Web.
Edit configuration files
Most of Splunk's configuration information is stored in .conf files. These files are located under your Splunk installation directory (usually referred to in the documentation as $SPLUNK_HOME) under /etc/system. In most cases you can copy these files to a local directory and make changes to these files with your preferred text editor.
== Use Splunk CLI==
Many configuration options are available via the CLI. These options are documented in the CLI chapter in this manual. You can also get CLI help reference with the help command while Splunk is running:
./splunk help

=== Feed Splunk Data and Search!===
Start getting data in the system and then you can search on that data. Data can be input from simple files for some one off analysis, it can read known log files or can listen on a port similar to a syslog server. It is very flexible, for example running it on a TCP port you could even use netcat to pipe a file over the network into Splunk server, or have a syslog server forward some of its logs to the Splunk instance. This would leave you with your existing syslog infrastructure intact for archival purposes but you also have the Splunk instance for easy analysis.
Now you are up to the point where it depends on your network and requirements, so think about how you are going to use it, feed it some data and start searching for stuff. The stuff could be configuration issues, errors, utilization trends or security events. If you want to do some easy testing, just grab a web server log file or other log and feed it in directly with the a file or directory option.
Configure the universal forwarder
Before a forwarder can forward data, it must have a configuration. A configuration:
*Tells the forwarder what data to send.
*Tells it where to send the data.

Because the universal forwarder does not have Splunk Web, you must give the forwarder a configuration either during the installation (on Windows systems only) or later, as a separate step. To perform post-installation configuration, you can:
*Use the CLI. The CLI lets you do nearly all configuration in a small number of steps, but does not give you full access to the feature set of the forwarder.
*Create or modify configuration files on the forwarder directly.
*Use a deployment server. The deployment server can ease distribution of configurations, but does not make a forwarder forward data by itself. You must use the deployment server to deliver configurations to the forwarders so that they collect the data you want and send it to the place you want.

=== About configuring the universal forwarder with configuration files ===
Configuration files are text files that the universal forwarder reads when it starts up or when you reload a configuration. Forwarders must read configuration files to know where to get and send data. These files give you full access to the forwarder feature set, but editing configuration files can be difficult or mistake-prone at times. See "About configuration files" and "Configuration file precedence" in the Splunk Enterprise Admin manual, for details on how configuration files work.
Key configuration files are:
'''inputs.conf''' controls how the forwarder collects data.
'''outputs.conf''' controls how the forwarder sends data to an indexer or other forwarder.
'''server.conf''' for connection and performance tuning.
'''deploymentclient.conf''' for connecting to a deployment server.
You make changes to configuration files by editing them with a text editor. You can use any editor that you want as long as it can write files in ASCII/UTF-8 format.
The forwarder works with configurations for forwarding data in outputs.conf in $SPLUNK_HOME/etc/system/local/). See Configure forwarding with outputs.conf.
The universal forwarder has a SplunkUniversalForwarder app, which includes preconfigured settings that let the forwarder run in a streamlined mode. Do not edit any configuration files within that app unless you receive specific instructions.
Best practices for deploying configuration updates across universal forwarders
You can use the following methods to deploy configuration updates across your set of universal forwarders:
Edit or copy the configuration files for each universal forwarder manually (This is only useful for small deployments.)
Use the Splunk deployment server to push configured apps to your set of universal forwarders.
Use your own deployment tools (puppet or Chef on *nix or System Center Configuration Manager on Windows) to push configuration changes.
=== Configure the universal forwarder from the CLI ===
The CLI lets you configure most forwarding parameters without having to edit configuration files. It does not give you full access to all forwarding parameters, and you must edit configuration files in those cases.
When you make configuration changes with the CLI, the universal forwarder writes the configuration files. This prevents typos and other mistakes that can occur when you edit configuration files directly.
The forwarder writes configurations for forwarding data to outputs.conf in $SPLUNK_HOME/etc/system/local/). See Configure forwarding with outputs.conf, for information on outputs.conf.
Examples for using the CLI to configure a universal forwarder
Following are example procedures on how to configure a universal forwarder to connect to a receiving indexer.
Configure the universal forwarder to connect to a receiving indexer
From a shell or command prompt on the forwarder, run the command:
'''./splunk add forward-server <host name or ip address>:<listening port>'''
For example, to connect to the receiving indexer with the hostname idx.mycompany.com and that host listens on port 9997 for forwarders, type in:
'''./splunk add forward-server idx1.mycompany.com:9997'''
Configure the universal forwarder to connect to a deployment server
From a shell or command prompt on the forwarder, run the command:
'''./splunk set deploy-poll <host name or ip address>:<management port>'''
For example, if you want to connect to the deployment server with the hostname ds1.mycompany.com on the default management port of 8089, type in:
'''./splunk set deploy-poll ds1.mycompany.com:8089'''
Configure a data input on the forwarder

The Splunk Enterprise Getting Data In manual has information on what data a universal forwarder can collect.
1. Determine what data you want to collect.
2. From a shell or command prompt on the forwarder, run the command that enables that data input. For example, to monitor the /var/log directory on the host with the universal forwarder installed, type in:
'''./splunk add monitor /var/log'''
The forwarder asks you to authenticate and begins monitoring the specified directory immediately after you log in.
'''Restart''' the universal forwarder
Some configuration changes might require that you restart the forwarder.
To restart the universal forwarder, use the same CLI restart command that you use to restart a full Splunk Enterprise instance:
On Windows: Go to %SPLUNK_HOME%\bin and run this command:
'''splunk restart'''
On *nix systems: From a shell prompt on the host, go to $SPLUNK_HOME/bin, and run this command:
'''./splunk restart'''
Configure forwarding with outputs.conf
The '''outputs.conf''' file defines how forwarders send data to receivers. You can specify some output configurations at installation time (Windows universal forwarders only) or the CLI, but most advanced configuration settings require that you edit '''outputs.conf'''.
The topics that describe various forwarding topologies, such as load balancing and intermediate forwarding, provide detailed examples on configuring outputs.conf to support those topologies.
Although outputs.conf is a required file for configuring forwarders, it addresses only the outputs from the forwarder, where you want the forwarder to send the data it collects. To specify the data that you want to collect from the forwarder, you must separately configure the inputs, as you would for any Splunk instance. See Add data and configure inputs in Getting Data In.
Edit '''outputs.conf''' to configure forwarding
This procedure details the steps you must take to edit the default '''outputs.conf''' which is in $SPLUNK_HOME/etc/system/local. You might have to edit the file in other places, as sections in this topic explain. For an example of what an outputs.conf file looks like, see "Examples of outputs.conf" later in this topic.
1. On the host that forwards that data that you want to collect, open a shell or command prompt or PowerShell window.
2. Go to the configuration directory for the forwarder.
Unix
cd $SPLUNK_HOME/etc/system/local
Windows
cd %SPLUNK_HOME%\etc\system\local
3. Open outputs.conf for editing with a text editor.
Unix
vi outputs.conf
Windows
notepad outputs.conf
4. Edit outputs.conf. Add a minimum of at least one forwarding target group or a single receiving host.
5. Save the outputs.conf file and close it.
6. Restart the universal forwarder to complete your changes.
Unix
cd $SPLUNK_HOME/bin
./splunk restart
Windows
cd %SPLUNK_HOME%\bin
.\splunk restart

Radare2

2016-08-25T00:18:53Z

Itaal:

[[File:Radare2.jpg]]

'''Radare''' <nowiki>[1] is an open source and multi-platform framework for Reverse Engineering activities which supports assembly and disassembly many architectures and binary formats [2].
As any other reversing framework, Radare framework aims to recognize high level features on machine code, such as: data structures, functions and execution flows.
Radare has buildings for the most populars Operating Systems, such as: Microsoft Windows, Mac OS X, Linux, BSD, iPhone OS, Solaris and MeeGo.

Radare offers few options of interactive graphical interfaces, such as: Web, GTK (Python) and ASCII-Art graph. Another very useful characteristic due to its designing is the capacity to easily implement new architectures, binary formats and analyses [3][4]. Radare provides an open API and with many bindings for many programming languages, such as: Python, Java, Ruby, Go and Perl. Radare is also integrated with the most popular debuggers supporting local and remote debugging [5], such as: gdb, rap, webui, r2pipe, winedbg and windbg.
</nowiki>

The framework is essentially composed by 7 executables:

'''Radare2'''
It is the core of of the hexadecimal editor and debugger. It allows you to open a number of input/output sources as if they were simple, plain files, including disks, network connections, kernel drivers, processes under debugging, and so on.

Radare2 implements an advanced command line interface for moving around a file, analyzing data, disassembling, binary patching, data comparison, searching, replacing, visualizing. It can be scripted with a variety of languages, including Ruby, Python, Lua, and Perl.

'''Rabin2'''
It allows you to extract information from executable binaries, such as ELF, PE, Java CLASS, and Mach-O. rabin2 is used by the core to get exported symbols, imports, file information, cross references (xrefs), library dependencies, sections, etc.

'''Rasm2'''
It is a command line assembler and disassembler for multiple architectures (including Intel x86 and x86-64, MIPS, ARM, PowerPC, Java, and MSIL).

'''Rahash2'''
An implementation of a block-based hash tool. From small text strings to large disks, rahash2 supports multiple algorithms, including MD4, MD5, CRC16, CRC32, SHA1, SHA256, SHA384, SHA512, par, xor, xorpair, mod255, hamdist, or entropy. rahash2 can be used to check the integrity of, or track changes to, big files, memory dumps, and disks.

Radiff2
It is a binary diffing utility that implements multiple algorithms. It supports byte-level or delta diffing for binary files, and code-analysis diffing to find changes in basic code blocks obtained from the radare code analysis, or from the IDA analysis using the rsc idc2rdb script.

'''Rafind2'''
It is a program that allows you to find byte patterns in files.

'''Ragg2'''
A frontend for r_egg. ragg2 compiles programs written in a simple high-level language into tiny binaries for x86, x86-64, and ARM.

'''Rarun2'''
A launcher for running programs within different environments, with different arguments, permissions, directories, and overridden default file descriptors.

Rarun2 is useful for:

Crackmes
Fuzzing
Test suites

'''Rax2'''
A minimalistic mathematical expression evaluator for the shell that is useful for making base conversions between floating point values, hexadecimal representations, hexpair strings to ASCII, octal to integer, etc. It also supports endianness settings and can be used as an interactive shell if no arguments are given.

==Getting radare2==

You can get radare from the website, http://radare.org/, or the GitHub repository, https://github.com/radare/radare2.

Binary packages are available for a number of operating systems (Ubuntu, Maemo, Gentoo, Windows, iPhone, and so on). Yet, you are highly encouraged to get the source and compile it yourself to better understand the dependencies, to make examples more accessible and of course to have the most recent version.

A new stable release is typically published every month. Nightly tarballs are sometimes available at http://bin.rada.re/.

The radare development repository is often more stable than the 'stable' releases. To obtain the latest version:

$ git clone https://github.com/radare/radare2.git

==Install==

The easiest way to install radare2 from git is by running the following command:

<nowiki>$ sys/install.sh</nowiki>

If you want to install radare2 in the home directory without using root privileges and sudo, simply run:

--[[User:Itaal|itaal]] ([[User talk:Itaal|talk]]) 03:17, 25 August 2016 (EEST)$ sys/user.sh

==Basic Radare Usage==

To be allowed to write files, specify the -w option to radare when opening a file. The w command can be used to write strings, hexpairs (x subcommand), or even assembly opcodes (a subcommand). Examples:

<nowiki>> w hello world ; string
> wx 90 90 90 90 ; hexpairs
> wa jmp 0x8048140 ; assemble
> wf inline.bin ; write contents of file</nowiki>

Appending a '''?''' to a command will show its help message, for example, '''p?'''.

To enter visual mode, press V<enter>. Use q to quit visual mode and return to the prompt. In visual mode you can use HJKL keys to navigate (left, down, up, and right, respectively). You can use these keys in cursor mode toggled by c key. To select a byte range in cursor mode, hold down SHIFT key, and press navigation keys HJKL to mark your selection. While in visual mode, you can also overwrite bytes by pressing i. You can press TAB to switch between the hex (middle) and string (right) columns. Pressing q inside the hex panel returns you to visual mode.

==Basic Visual Debugger Session==

Radare is mostly command line usage debugger with additional possibility to use the most awesome visual memory representation to date. Makes you feel '''1337''' real fast.
A simpler method to use debugger in radare is to switch it to visual mode. That way you will not have to remember many commands nor to keep program state in your mind. To enter visual mode use V:

<nowiki>[0xB7F0C8C0]></nowiki> '''V'''

The initial view after entering visual mode is a hexdump view of current target program counter (e.g., EIP for x86). Pressing p will allow you to cycle through the rest of visual mode views. You can press '''p''' and '''P''' to rotate through the most commonly used print modes. Use '''F7''' or s to step into and '''F8''' or '''S''' to step over current instruction. With the c key you can toggle the cursor mode to mark a byte range selection (for example, to later overwrite them with nop). You can set breakpoints with '''F2''' key.

In visual mode you can enter regular radare commands by prepending them with ''':'''. For example, to dump a one block of memory contents at '''ESI: x @ esi'''

To get help on visual mode, press '''?'''. To scroll help screen, use arrows. To exit help view, press '''q'''.

A frequently used command is '''dr''', to read or write values of target's general purpose registers. You can also manipulate the hardware and extended/floating point registers.

==Challenge==

Use Radare2 to find out this programs function and crack it.

https://1drv.ms/u/s!APP7wJujw7BWrR0

Information to find out:
-Endian info
-Interpeter
-Arhitecture
-What system calls are made ?
Finally, crack the executable.

Hints:
PEheader
r2 automated analysis
r2 visual modes

==References==
<nowiki>[1] http://rada.re/r/
[2] https://en.wikipedia.org/wiki/Radare2#Supported_architectures.2Fformats
[3] https://github.com/radare/radare2/wiki/Implementing-a-new-architecture
[4] https://github.com/radare/radare2/wiki/Implementing-a-new-analysis-plugin
[5] http://solidsec.blogspot.de/2015/09/reversing-elf-binaries-remote-debugging.html</nowiki>

Radare2

2016-08-25T00:17:45Z

Itaal:

'''Radare''' <nowiki>[1] is an open source and multi-platform framework for Reverse Engineering activities which supports assembly and disassembly many architectures and binary formats [2].
As any other reversing framework, Radare framework aims to recognize high level features on machine code, such as: data structures, functions and execution flows.
Radare has buildings for the most populars Operating Systems, such as: Microsoft Windows, Mac OS X, Linux, BSD, iPhone OS, Solaris and MeeGo.

Radare offers few options of interactive graphical interfaces, such as: Web, GTK (Python) and ASCII-Art graph. Another very useful characteristic due to its designing is the capacity to easily implement new architectures, binary formats and analyses [3][4]. Radare provides an open API and with many bindings for many programming languages, such as: Python, Java, Ruby, Go and Perl. Radare is also integrated with the most popular debuggers supporting local and remote debugging [5], such as: gdb, rap, webui, r2pipe, winedbg and windbg.
</nowiki>

[[File:Radare2.jpg]]
The framework is essentially composed by 7 executables:

'''Radare2'''
It is the core of of the hexadecimal editor and debugger. It allows you to open a number of input/output sources as if they were simple, plain files, including disks, network connections, kernel drivers, processes under debugging, and so on.

Radare2 implements an advanced command line interface for moving around a file, analyzing data, disassembling, binary patching, data comparison, searching, replacing, visualizing. It can be scripted with a variety of languages, including Ruby, Python, Lua, and Perl.

'''Rabin2'''
It allows you to extract information from executable binaries, such as ELF, PE, Java CLASS, and Mach-O. rabin2 is used by the core to get exported symbols, imports, file information, cross references (xrefs), library dependencies, sections, etc.

'''Rasm2'''
It is a command line assembler and disassembler for multiple architectures (including Intel x86 and x86-64, MIPS, ARM, PowerPC, Java, and MSIL).

'''Rahash2'''
An implementation of a block-based hash tool. From small text strings to large disks, rahash2 supports multiple algorithms, including MD4, MD5, CRC16, CRC32, SHA1, SHA256, SHA384, SHA512, par, xor, xorpair, mod255, hamdist, or entropy. rahash2 can be used to check the integrity of, or track changes to, big files, memory dumps, and disks.

Radiff2
It is a binary diffing utility that implements multiple algorithms. It supports byte-level or delta diffing for binary files, and code-analysis diffing to find changes in basic code blocks obtained from the radare code analysis, or from the IDA analysis using the rsc idc2rdb script.

'''Rafind2'''
It is a program that allows you to find byte patterns in files.

'''Ragg2'''
A frontend for r_egg. ragg2 compiles programs written in a simple high-level language into tiny binaries for x86, x86-64, and ARM.

'''Rarun2'''
A launcher for running programs within different environments, with different arguments, permissions, directories, and overridden default file descriptors.

Rarun2 is useful for:

Crackmes
Fuzzing
Test suites

'''Rax2'''
A minimalistic mathematical expression evaluator for the shell that is useful for making base conversions between floating point values, hexadecimal representations, hexpair strings to ASCII, octal to integer, etc. It also supports endianness settings and can be used as an interactive shell if no arguments are given.

==Getting radare2==

You can get radare from the website, http://radare.org/, or the GitHub repository, https://github.com/radare/radare2.

Binary packages are available for a number of operating systems (Ubuntu, Maemo, Gentoo, Windows, iPhone, and so on). Yet, you are highly encouraged to get the source and compile it yourself to better understand the dependencies, to make examples more accessible and of course to have the most recent version.

A new stable release is typically published every month. Nightly tarballs are sometimes available at http://bin.rada.re/.

The radare development repository is often more stable than the 'stable' releases. To obtain the latest version:

$ git clone https://github.com/radare/radare2.git

==Install==

The easiest way to install radare2 from git is by running the following command:

<nowiki>$ sys/install.sh</nowiki>

If you want to install radare2 in the home directory without using root privileges and sudo, simply run:

--[[User:Itaal|itaal]] ([[User talk:Itaal|talk]]) 03:17, 25 August 2016 (EEST)$ sys/user.sh

==Basic Radare Usage==

To be allowed to write files, specify the -w option to radare when opening a file. The w command can be used to write strings, hexpairs (x subcommand), or even assembly opcodes (a subcommand). Examples:

<nowiki>> w hello world ; string
> wx 90 90 90 90 ; hexpairs
> wa jmp 0x8048140 ; assemble
> wf inline.bin ; write contents of file</nowiki>

Appending a '''?''' to a command will show its help message, for example, '''p?'''.

To enter visual mode, press V<enter>. Use q to quit visual mode and return to the prompt. In visual mode you can use HJKL keys to navigate (left, down, up, and right, respectively). You can use these keys in cursor mode toggled by c key. To select a byte range in cursor mode, hold down SHIFT key, and press navigation keys HJKL to mark your selection. While in visual mode, you can also overwrite bytes by pressing i. You can press TAB to switch between the hex (middle) and string (right) columns. Pressing q inside the hex panel returns you to visual mode.

==Basic Visual Debugger Session==

Radare is mostly command line usage debugger with additional possibility to use the most awesome visual memory representation to date. Makes you feel '''1337''' real fast.
A simpler method to use debugger in radare is to switch it to visual mode. That way you will not have to remember many commands nor to keep program state in your mind. To enter visual mode use V:

<nowiki>[0xB7F0C8C0]></nowiki> '''V'''

The initial view after entering visual mode is a hexdump view of current target program counter (e.g., EIP for x86). Pressing p will allow you to cycle through the rest of visual mode views. You can press '''p''' and '''P''' to rotate through the most commonly used print modes. Use '''F7''' or s to step into and '''F8''' or '''S''' to step over current instruction. With the c key you can toggle the cursor mode to mark a byte range selection (for example, to later overwrite them with nop). You can set breakpoints with '''F2''' key.

In visual mode you can enter regular radare commands by prepending them with ''':'''. For example, to dump a one block of memory contents at '''ESI: x @ esi'''

To get help on visual mode, press '''?'''. To scroll help screen, use arrows. To exit help view, press '''q'''.

A frequently used command is '''dr''', to read or write values of target's general purpose registers. You can also manipulate the hardware and extended/floating point registers.

==Challenge==

Use Radare2 to find out this programs function and crack it.

https://1drv.ms/u/s!APP7wJujw7BWrR0

Information to find out:
-Endian info
-Interpeter
-Arhitecture
-What system calls are made ?
Finally, crack the executable.

Hints:
PEheader
r2 automated analysis
r2 visual modes

==References==
<nowiki>[1] http://rada.re/r/
[2] https://en.wikipedia.org/wiki/Radare2#Supported_architectures.2Fformats
[3] https://github.com/radare/radare2/wiki/Implementing-a-new-architecture
[4] https://github.com/radare/radare2/wiki/Implementing-a-new-analysis-plugin
[5] http://solidsec.blogspot.de/2015/09/reversing-elf-binaries-remote-debugging.html</nowiki>

File:Radare2.jpg

2016-08-25T00:09:03Z

Itaal:

Radare2

2016-08-24T21:36:51Z

Itaal:

Radare2

2016-08-24T21:35:25Z

Itaal:

Radare [1] is an open source and multi-platform framework for Reverse Engineering activities which supports assembly and disassembly many architectures and binary formats [2].
As any other reversing framework, Radare framework aims to recognize high level features on machine code, such as: data structures, functions and execution flows.
Radare has buildings for the most populars Operating Systems, such as: Microsoft Windows, Mac OS X, Linux, BSD, iPhone OS, Solaris and MeeGo.

Radare offers few options of interactive graphical interfaces, such as: Web, GTK (Python) and ASCII-Art graph. Another very useful characteristic due to its designing is the capacity to easily implement new architectures, binary formats and analyses [3][4]. Radare provides an open API and with many bindings for many programming languages, such as: Python, Java, Ruby, Go and Perl. Radare is also integrated with the most popular debuggers supporting local and remote debugging [5], such as: gdb, rap, webui, r2pipe, winedbg and windbg.

The framework is essentially composed by 7 executables:
Radare2
It is the core of of the hexadecimal editor and debugger. It allows you to open a number of input/output sources as if they were simple, plain files, including disks, network connections, kernel drivers, processes under debugging, and so on.

Radare2 implements an advanced command line interface for moving around a file, analyzing data, disassembling, binary patching, data comparison, searching, replacing, visualizing. It can be scripted with a variety of languages, including Ruby, Python, Lua, and Perl.

Rabin2
It allows you to extract information from executable binaries, such as ELF, PE, Java CLASS, and Mach-O. rabin2 is used by the core to get exported symbols, imports, file information, cross references (xrefs), library dependencies, sections, etc.

Rasm2
It is a command line assembler and disassembler for multiple architectures (including Intel x86 and x86-64, MIPS, ARM, PowerPC, Java, and MSIL).

Rahash2
An implementation of a block-based hash tool. From small text strings to large disks, rahash2 supports multiple algorithms, including MD4, MD5, CRC16, CRC32, SHA1, SHA256, SHA384, SHA512, par, xor, xorpair, mod255, hamdist, or entropy. rahash2 can be used to check the integrity of, or track changes to, big files, memory dumps, and disks.

Radiff2
It is a binary diffing utility that implements multiple algorithms. It supports byte-level or delta diffing for binary files, and code-analysis diffing to find changes in basic code blocks obtained from the radare code analysis, or from the IDA analysis using the rsc idc2rdb script.

Rafind2
It is a program that allows you to find byte patterns in files.

Ragg2
A frontend for r_egg. ragg2 compiles programs written in a simple high-level language into tiny binaries for x86, x86-64, and ARM.

Radare2 - The Reverse Engineering Framework (Tool For Hackers)
9:33 AM HackingTools , SecurityTools
Radare2

Radare2 is a portable framework for reverse engineering and analyzing binaries. It is actually a rewrite from the scratch of radare -- a forensics tool.

(Download link is at the end of this article)

It consists of the following command-line utilities:

radare2

rabin2

rasm2

rahash2

radiff2

rafind2

ragg2

rarun2

rax2

Radare2
It is the core of of the hexadecimal editor and debugger. It allows you to open a number of input/output sources as if they were simple, plain files, including disks, network connections, kernel drivers, processes under debugging, and so on.

Radare2 implements an advanced command line interface for moving around a file, analyzing data, disassembling, binary patching, data comparison, searching, replacing, visualizing. It can be scripted with a variety of languages, including Ruby, Python, Lua, and Perl.

Rabin2
It allows you to extract information from executable binaries, such as ELF, PE, Java CLASS, and Mach-O. rabin2 is used by the core to get exported symbols, imports, file information, cross references (xrefs), library dependencies, sections, etc.

Rasm2
It is a command line assembler and disassembler for multiple architectures (including Intel x86 and x86-64, MIPS, ARM, PowerPC, Java, and MSIL).

Rahash2
An implementation of a block-based hash tool. From small text strings to large disks, rahash2 supports multiple algorithms, including MD4, MD5, CRC16, CRC32, SHA1, SHA256, SHA384, SHA512, par, xor, xorpair, mod255, hamdist, or entropy. rahash2 can be used to check the integrity of, or track changes to, big files, memory dumps, and disks.

Radiff2
It is a binary diffing utility that implements multiple algorithms. It supports byte-level or delta diffing for binary files, and code-analysis diffing to find changes in basic code blocks obtained from the radare code analysis, or from the IDA analysis using the rsc idc2rdb script.

Rafind2
It is a program that allows you to find byte patterns in files.

Ragg2
A frontend for r_egg. ragg2 compiles programs written in a simple high-level language into tiny binaries for x86, x86-64, and ARM.

Rarun2
A launcher for running programs within different environments, with different arguments, permissions, directories, and overridden default file descriptors.

Rarun2 is useful for:

Crackmes
Fuzzing
Test suites

Rax2
A minimalistic mathematical expression evaluator for the shell that is useful for making base conversions between floating point values, hexadecimal representations, hexpair strings to ASCII, octal to integer, etc. It also supports endianness settings and can be used as an interactive shell if no arguments are given.
==References==
[1] http://radare.org/
[2] https://en.wikipedia.org/wiki/Radare2#Supported_architectures.2Fformats
[3] https://github.com/radare/radare2/wiki/Implementing-a-new-architecture
[4] https://github.com/radare/radare2/wiki/Implementing-a-new-analysis-plugin
[5] http://solidsec.blogspot.de/2015/09/reversing-elf-binaries-remote-debugging.html

Radare2

2016-08-24T21:29:51Z

Itaal:

Radare2

2016-08-24T21:25:29Z

Itaal:

Radare2

2016-08-24T21:24:16Z

Itaal: /* = */

Radare2

2016-08-24T21:23:40Z

Itaal:

Radare2

2016-08-24T21:22:30Z

Itaal: Created page with " Radare [1] is an open source and multi-platform framework for Reverse Engineering activities which supports assembly and disassembly many architectures and binary formats [2]..."

Operating systems

2016-08-24T21:11:44Z

Itaal: /* Wiki article information */

Operating systems

2016-08-24T20:59:43Z

Itaal: /* Wiki article information */

Operating systems

2016-08-24T20:59:23Z

Itaal: /* Wiki article information */