Splunk Yorkshire User Group : Splunk Connect for Syslog : Oct'24 !! - mayurkapadia/sc4s GitHub Wiki

Splunk setup

Create the following default indexes that are used by SC4S:

  email
  epav
  fireeye
  gitops
  infraops
  netauth
  netdlp
  netdns
  netfw
  netids
  netops
  netwaf
  netproxy
  netipam
  oswinsec
  osnix
  _metrics

Create a HEC token for SC4S.

When filling out the form for the token, leave the “Selected Indexes” pane blank and specify that a lastChanceIndex be created so that all data received by SC4S will have a target destination in Splunk.

SC4S setup (using RHEL)

Set the host OS kernel to match the default receiver buffer of SC4S, which is set to 16MB.

a. Add the following to /etc/sysctl.conf:

net.core.rmem_default = 17039360
net.core.rmem_max = 17039360

b. Apply to the kernel:

sysctl -p

Ensure the kernel is not dropping packets:

netstat -su | grep "receive errors"

Create the systemd unit file /lib/systemd/system/sc4s.service.

Copy and paste from the Sample Podman unit file.

Install Podman or Docker:

sudo yum -y install podman

Create a Podman/Docker local volume that will contain the disk buffer files and other SC4S state files (choose one in the command below):

sudo podman volume create splunk-sc4s-var

Create directories to be used as a mount point for local overrides and configurations:

mkdir /opt/sc4s/local
mkdir /opt/sc4s/archive
mkdir /opt/sc4s/tls

Create the environment file /opt/sc4s/env_file and replace the HEC_URL and HEC_TOKEN as necessary:

  SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://your.splunk.instance:8088
  SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no

Configure SC4S for systemd and start SC4S:

sudo systemctl daemon-reload
sudo systemctl enable sc4s
sudo systemctl start sc4s

Check podman/docker logs for errors:

sudo podman logs SC4S

Search on Splunk for successful installation of SC4S:

index=* sourcetype=sc4s:events "starting up"

Ingesting Data via SC4S

Podman Useful Commands

List Podman Container :

podman ls

Exec into Podman Container :

podman exec -it <<container id>> /bin/bash

Check Podman SC4S Logs :

podman logs SC4S

SC4S Useful Commands