Overview:

Gemini Enterprise software makes the process of connecting and ingesting data to Splunk Cloud simple and straightforward.

Operating as a secure appliance at your premises or from a virtual or cloud environment, Gemini Enterprise includes a Splunk Heavy Forwarder offering control and management functionality over data you wish to ingest to Splunk Cloud, together with the following advantages;

  • Control of both the editing and versioning of config files using Deployment Server and Gemini’s Versioning feature.
  • Collation of Syslog data through our simple-to-use Log Receiver interface.
  • In combining two Gemini instances, additional features of High Availability and Load Balancing capabilities are also made available.

 

Step 1: Splunk Cloud Trial / Self-service / Managed

Splunk Cloud is available first as a Trial version, which may be converted to a ‘Self-service’ (limited) offering, or the ‘Managed’ version arranged through Splunk Sales.

Whichever version you choose, Gemini Enterprise offers the advantage of a single Heavy Forwarder instance that includes our extra Gemini features.

A Splunk Cloud Authentication App will be required to enable the collation and uploading of logs and events from local production servers direct to Splunk Cloud using Gemini Enterprise. This will simplify data ingestion and management of Splunk Cloud.

Signing up for a free trial through the Splunk Website will result in an email, allowing access to your personal Self-service version of Splunk Cloud. Alternatively, if you already have a Splunk Cloud account, simply access using your own credentials. Either way, select the ‘Universal Forwarder’ from the App menu;

This will allow you to download the credentials app required for authenticating the Gemini software as a Splunk Heavy Forwarder;

This will arrive in the form of a splunkclouduf.spl file. Save this locally to your workstation as you prepare Gemini Enterprise.

 

Step 2: Preparation of Gemini Enterprise

The following assumes that you have; taken delivery of a Gemini appliance or installed Gemini Enterprise software to a local VMware or Cloud instance.

Power-up the Gemini instance, navigate to the web interface (https://) and accept the EULA presented;

Type Note: If you do not know the address or have not yet logged in to the instance;

1. Login using a terminal interface with the following credentials:
    username: sbox
    password: facing jet function drive (note: spaces are important!)
2. Follow prompts to change the default password
3. Type ‘ip a’ to discover the IP address which can then be used at the browser.

From the next screen, set the locale information regarding language and timezone, and then choose an appropriate Hostname for your appliance. Gemini Enterprise natively supports four languages;

  • English (American)
  • Traditional Chinese
  • German
  • Japanese

At the License Manager, choose the 'Enterprise Edition (30 days Trial)'' option. Gemini Licences can be activated at any time.

After selecting the Get Started button from the ‘Success’ screen the login screen will be presented.

Login to Gemini Enterprise with the username ‘admin’ and the password created at the terminal screen.

After logging on, you will be presented with the Gemini Enterprise Home Dashboard;

Splunk will first need to be ‘activated’ on the Gemini instance before you can begin the Heavy Forwarder configuration.

Select the ‘Activate’ button on the Splunk Featured Platform panel, and refresh the browser to reveal a new ‘Splunk’ menu option at the vertical menu bar. This process will prompt you to create a Splunk admin account. Please record the password used.

To configure the Gemini instance with optimal forwarder settings, select the Heavy Forwarder template using Gemini’s Optimizer;

Navigate to the Splunk / Optimizer dashboard using the vertical menu bar. Select the Heavy Forwarder option, review the settings that will be applied, and select the ‘Apply’ button to activate. Restart Splunk as directed on completion.

 

Step 3: Install the Splunk Cloud authentication app

The splunkclouduf.spl app downloaded from the *Splunk Cloud Admin** interface during Step 1 can now be installed to the Splunk instance running on the appliance.

Navigate to the Splunk / Config Editor dashboard, and use the ‘Upload’ button to add the splunkclouduf.spl file to the splunk/etc/ directory

Navigate to the Splunk / Command dashboard, and enter the following command using the Splunk admin account created at Step 2.

install app /opt/splunk/etc/splunkclouduf.spl -auth admin:<splk_admin_passwd>

Select the ‘Execute’ button. A message should follow to confirm the app was ‘installed’.

Navigate to the Splunk / Daemon dashboard and perform a ‘Restart Splunk’ function.

The authentication app creates a unique outputs.conf file that connects securely with your Splunk Cloud environment using a secure key (.pem file).

An example of a typical outputs.conf file can be seen below;

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
server = inputs.prd-p-q822u.splunkcloud.com:9997
compressed = false

sslCertPath = $SPLUNK_HOME/etc/apps/100_prd-p-q822u_splunkcloud/default/prd-p-q822u_server.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/100_prd-p-q822u_splunkcloud/default/prd-p-q822u_cacert.pem

sslCommonNameToCheck = *.prd-p-q822u.splunkcloud.com
sslVerifyServerCert = true
useClientSSLCompression = true

To confirm that the instance is performing as a Heavy Forwarder, return to the Splunk / Command dashboard, and type the following command:

list forward-server -auth admin:<splunk_admin_password>

The ‘Active forwards:’ response should reflect the correct name of your Splunk Cloud environment.

 

Step 4: Use the Cloud Monitoring interface to view Splunk Forwarders

We now effectively have a Heavy Forwarder working on our appliance that is set to forward data to Splunk Cloud. To view all-things-Splunk-Cloud, open the Cloud Monitoring Admin interface provided by Splunk.

Initially, we could set up forwarder monitoring, although this must first be enabled from the Settings / Forwarder Monitoring Setup dashboard.

Select the ‘Enable’ button and accept the default collection interval of 24 Hours, this will leave the metric collection of Forwarders to a minimum.

Select the ‘Rebuild forwarder assets…’, to ensure that the Gemini Heavy Forwarder has been captured.

1. If your forwarder is not located, repeat the above procedure a couple of times. Restarting your forwarder can also help with this.
2. Disable this feature should you prefer to eliminate this extra traffic altogether.

To confirm the Gemini Heavy Forwarder has a connection to Splunk Cloud, select the Forwarders / Forwarders:Instance dashboard and observe the detail.

This should resemble the following, with the Gemini appliance ‘Instance’ visible;

Alternatively, use a search similar to that shown below to observe TCP connection metrics from your Heavy Forwarder;

index=_internal  host="gemini-<instance_name>" tcpout
You may need to enable the web interface of Splunk to achieve this, as it is disabled when the Heavy Forwarder template is applied. Navigate to the Splunk / Web Interface dashboard and use the slider switch to enable the web interface.

 

Splunk Licensing

The choice of Splunk license will depend on the functionality required from Gemini Enterprise.
If you are simply using the Gemini appliance as a central collator of logs and events from your production servers, then enable the built-in ‘Forwarder License’.

If you required a Splunk Deployment Server to run from the Gemini appliance to control the configuration of local production servers, you will need a small (1GB) Enterprise License to unlock the Deployment Server feature.

Contact Splunk Support regarding this license.

To change or view the license status, navigate to the Settings / Licensing dashboard of the appliance’s Splunk web interface and, select the appropriate Licencing Group to become either that of a ‘Forwarder’ or an ‘Enterprise License’.

You may need to enable the web interface of Splunk to achieve this, as it is disabled when the Heavy Forwarder template is applied. Navigate to Gemini's Splunk / Web Interface dashboard and use the slider switch to enable the web interface.

 

Splunk - Deployment Server

Using Splunk’s Deployment Server on the Gemini instance offers the ability to control your upstream Universal Forwarders working on local Production Servers within your local network.

This is a complex subject that we discuss in a separate document but assuming that you have; the desired serverclasses and deployable apps held respectively in the opt/splunk/etc/system/local and opt/splunk/etc/deployment-apps folders of the instance, we recommend that you make use of Splunk’s Forwarder Management dashboard to simplify control of the process.

We strongly recommend that you use Splunk’s Base Configurations Toolset of deployable apps, and follow the naming convention for any apps that are manually created.

Do not forget that all participating production servers (Universal Forwarders) must contain a suitable deploymentclient.conf file and be reachable on the tcp:8089 port.

 

Splunk Configuration - Versioning

If you are using the Gemini instance as a Splunk Deployment Server, it is recommended to use Gemini’s built-in Versioning feature to keep control of any configuration changes made.

This feature is disabled by default but can be easily enabled using the slider switch on the Splunk / Versioning dashboard of Gemini Enterprise.

 

Creating a Syslog Server using Gemini Enterprise

In order to use the Gemini instance as a Syslog Server, the Log Receiver feature will need to be used.

For more details on this subject, refer to the Log Receiver - Manage Syslog Server document located in our Support Portal, or check out our Log Receiver Video

 

Introducing High Availability or Load Balancing

With the addition of another Gemini instance, the instances can be formed into a ‘Manage Group’, and our Failover feature can be used to form mutual failover groups between the appliances. This leads to the potential use case of creating Load Balancing between the appliances.

These features are aimed more at an appliance-based instance. Cloud admins can replicate this behavior, if required, within their appropriate Cloud network.

For more details on this subject, refer to the Videos on Manage Groups and High Availability at our Support Portal.


For more information please contact contact@geminidata.com