Quickstart Guide¶
This guide will enable you to quickly implement basic changes to your Splunk instance and set up a simple SC4S installation. It’s a great starting point for working with SC4S and establishing a minimal operational solution. The same steps are thoroughly described in the Splunk Setup and Runtime configuration sections.
Splunk setup¶
-
Create the following default indexes that are used by SC4S:
email
epav
fireeye
gitops
infraops
netauth
netdlp
netdns
netfw
netids
netops
netwaf
netproxy
netipam
oswinsec
osnix
_metrics
(Optional opt-in for SC4S operational metrics; ensure this is created as a metrics index)
-
Create a HEC token for SC4S. When filling out the form for the token, leave the “Selected Indexes” pane blank and specify that a
lastChanceIndex
be created so that all data received by SC4S will have a target destination in Splunk.
SC4S setup (using RHEL)¶
- Set the host OS kernel to match the default receiver buffer of SC4S, which is set to 16MB.
a. Add the following to /etc/sysctl.conf
:
```
net.core.rmem_default = 17039360
net.core.rmem_max = 17039360
```
b. Apply to the kernel:
```
sysctl -p
```
-
Ensure the kernel is not dropping packets:
netstat -su | grep "receive errors"
-
Create the systemd unit file
/lib/systemd/system/sc4s.service
. -
Copy and paste from the SC4S sample unit file (Docker) or SC4S sample unit file (Podman).
-
Install Podman or Docker:
orsudo yum -y install podman
sudo yum install docker-engine -y
-
Create a Podman/Docker local volume that will contain the disk buffer files and other SC4S state files (choose one in the command below):
sudo podman|docker volume create splunk-sc4s-var
-
Create directories to be used as a mount point for local overrides and configurations:
mkdir /opt/sc4s/local
mkdir /opt/sc4s/archive
mkdir /opt/sc4s/tls
-
Create the environment file
/opt/sc4s/env_file
and replace the HEC_URL and HEC_TOKEN as necessary:SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://your.splunk.instance:8088 SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx #Uncomment the following line if using untrusted SSL certificates #SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no
-
Configure SC4S for systemd and start SC4S:
sudo systemctl daemon-reload
sudo systemctl enable sc4s
sudo systemctl start sc4s
-
Check podman/docker logs for errors:
sudo podman|docker logs SC4S
-
Search on Splunk for successful installation of SC4S:
index=* sourcetype=sc4s:events "starting up"
-
Send sample data to default udp port 514 of SC4S host:
echo “Hello SC4S” > /dev/udp/<SC4S_ip>/514