How to integrate Splunk with Artifactory

Janardhana JL
2020-08-27 13:16

Installing and configuring Splunk with Artifactory.

1. Install Artifactory and make sure it is up and running.

2. Install Splunk Enterprise version from the official website(You need to have an account with Splunk to login and download the file ). 
 https://www.splunk.com/en_us/download/splunk-enterprise.html 

3. In the below example we have used Linux Package type and .tgz file.
(splunk-8.0.5-a1a6394cc5ae-Linux-x86_64.tgz )

Choose your Installation package type, download, and install Splunk Enterprise.

4. Set up the environment by creating a new group and user for Splunk. In the below use case, we have used default as Splunk, But you can name your group and user based on your requirement.      # groupadd splunk 
      # useradd -d /opt/splunk -m -g splunk splunk

5. Once the download process is finished, and you have your Splunk Enterprise .tgz file then unpack and install the entire package onto the newly created user.
           # tar -zxvf splunk-8.0.5-a1a6394cc5ae-Linux-x86_64.tgz 

6. Copy all content extracted from the root user to the splunk user
         # cp -rp splunk/* /opt/splunk/

7. Change ownership to the new splunk user:      # chown -R splunk: /opt/splunk/
 

8. Switch users and install Splunk(from root user to user Splunk).      # cd /opt/splunk/bin

9. Run the command to accept Splunk’s license. 
          # ./splunk start –accept-license

10 Run the command to start the Splunk       # ./splunk start (now you would be able to access the Splunk at http://ipaddress:8000)

11. Login to the Splunk using your username and password generated during the license acceptance.

12. Once the login succeeds navigate to Apps>>Setting>>Find more apps >>search for “JFrog Platform Log Analytics” and install it.

13. Configure HEC in the Splunk enterprise in order to view the Artifactory (JPD) logs in Splunk. Please follow the steps mentioned in this link to configure HEC.

14. Next, install “td-agent ” in order to retrieve the logs from Artifactory (JPD)  and distribute them to Splunk.
Please note that in the below example we installed for Redhat type, you could install according to your OS and package type from the official website, https://docs.fluentd.org/installation
     # curl -L https://toolbelt.treasuredata.com/sh/install-redhat-td-agent3.sh | sh

15. Please set the environment variable JFROG_HOME or ARTIFACTORY_HOME depending on your Artifactory.
Then replace the default td-agent  configuration with your Artifactory 6.x or 7.x version file, from our official log-analytics GitHub repo 

16. Add the configuration file in the below given path       # /etc/td-agent/td-agent.conf

17. From the Template replace host, port, and token, if you are using HTTP, set the "use_ssl to false" and comment the "ca_file" section.

18 Once “td-agent” has been installed on an Artifactory node and configuration has been set accordingly, install the FluentD plugin for Splunk.

You could refer to the README.md file for more installation.

           # td-agent-gem install fluent-plugin-splunk-enterprise

19. Fix the group and file permissions issue in Artifactory as root:      # usermod -a -G artifactory td-agent
      # chmod 0770 /opt/jfrog/artifactory/var/log
      # chmod 0640 /opt/jfrog/artifactory/var/log/*.log

20. Now Run td-agent and check it's status      # systemctl start td-agent
      # systemctl status td-agent

21. Once the td-agent is started successfully, go back to the Splunk web UI >click on JFrog app> navigate to dashboards>click on JFrog to view the logs.