Configure default properties for the FA VM
The FA VM has default values set for certain properties. You can change the default values to suit your environment. The instructions to do this are provided in this topic. The following table lists some of the properties you can change:
Property | Description |
---|---|
default passwords | The FA VM automatically comes with 2 built-in user accounts and passwords; the admin account (splunkadmin / changeme) and root (root / changemenow). We encourage you to change the passwords. To do so, see change default passwords in this topic. |
OS Hostname | The FA VM automatically gets a default OS hostname (splunkvmwarefa). To change the hostname to suit your environment, see Set the FA VM's OS hostname in this topic. In this example we set the OS Hostname to splunkfa1. |
Splunk "OS Hostname"-related settings | The FA VM comes pre-installed with a Splunk forwarder, but certain configuration settings must be given the same value as the OS Hostname. To change these Splunk settings to the new OS Hostname you set, see Set the 'OS hostname'-related settings in the FA VM's Splunk instance in this topic. |
IP Address | The FA VM gets an IP Address using DHCP. After deploying the FA VM, you can change this to a static IP address. For more information, see Set static IP addresses in this topic. |
Timezone | The FA VM has its timezone set to "US/Pacific" by default. We highly recommend that you set the correct timezone so that your FA VM will report time in a zone that you can easily understand. To change the timezone to suit your needs, see Set the timezone in the FA VM in this topic. |
NTP | NTP is set automatically using the default CentOS time server pool. To change the NTP servers that your FA M uses, see Change_the_NTP_server_pool_list in this topic. |
Change the default passwords
We recommend that you change the FA VM's default passwords for both built-in users (splunkadmin and root):
- Log in as
user=splunkadmin and password=changeme
. - Run the "passwd" command to change the password for the splunkadmin user.
- Logout (hit CTRL-D, or run the command "logout")
- Log back into the FA VM as
user=root and password=changemenow
. - Run the "passwd" command to change the password for the root user.
- Logout (hit CTRL-D, or run the command "logout")
- Note: Make sure to store your new passwords in a safe place where you will not forget them.
passwd
passwd
Set the FA VM's OS hostname
We recommend that you set the FA VM's hostname to one that is appropriate for your environment:
- Log in as
user=splunkadmin and password=changeme
. - Using a text editor such as vi, edit the
/etc/sysconfig/network
file. You may need to enter the splunkadmin password if you haven't run sudo recently.cd /etc/sysconfig sudo vi network
- Substitute the hostname parameter with your own value.
- After editing this file, run the hostname command and restart the networking service for the changes to take effect. If you plan to set a static IP address in the FA VM, you can wait until you have completed that step (see below) before restarting the networking service - just omit the second command.
HOSTNAME=splunkfa1.company.com
sudo hostname splunkfa1.company.com sudo /etc/init.d/network restart
Important: Do not forget to do this step! You must make the following changes as the splunkadmin user using the admin account (splunkadmin / changeme)
- At the command line, stop Splunk:
- Using a text editor (such as "vi"), modify the "host" setting in the
inputs.conf
file. Substitute the current value with the initial portion of the "OS hostname" value you set above (e.g. "splunkfa1"): - Save the inputs.conf file and exit.
- In the same directory, use a text editor to modify the "serverName" setting in the
server.conf
file. Substitute the current value with the same value that you set in theinputs.conf
file (e.g. "splunkfa1"): - Save the server.conf file and exit.
splunk stop cd $SPLUNK_HOME/etc/system/local
host = splunkfa1
serverName = splunkfa1
Note: You do not need to start Splunk after completing this step. Splunk will be started later in the installation process, after configuration files have been created.
Set static IP addresses
While not required, we recommend that you set a static IP address for the FA VM. Using DHCP (dynamic addressing) can cause the FA's IP address to vary over time, and this can cause unexpected results. Connecting to a specific FA can become difficult (especially if DNS is down). You may want to connect to the FA to perform maintenance or to determine which FA VM is sending data.
It is best to log in as the splunkadmin user to make changes to the FA VM.
To set a static IP address on the FA:
- Using a text editor (such as vi) edit the
/etc/sysconfig/network-scripts/ifcfg-eth0
file. - Substitute the IPADDR and NETMASK values as appropriate for your environment. If BOOTPROTO is set to dhcp, change it to static or none.
- Save your changes to the file and exit.
- Set your default gateway by editing the
/etc/sysconfig/network
file: - Add the gateway parameter on its own line at the end of the file using the IP address of the FA's default gateway (router interface).
- Save your changes to the file and exit.
- Modify the /etc/resolv.conf file to update the DNS settings:
- Substitute the existing parameters with your own.
search company.com nameserver 192.168.0.7 nameserver 192.168.0.8
- Save your changes to the file and exit.
- Restart the networking service:
cd /etc/sysconfig/network-scripts/ sudo vi ifcfg-eth0
DEVICE=eth0 TYPE=Ethernet BOOTPROTO=static ONBOOT=yes IPADDR=10.33.17.142 NETMASK=255.255.255.0
cd /etc/sysconfig sudo vi network
GATEWAY=192.168.0.1
sudo vi /etc/resolv.conf
sudo /etc/init.d/network restart
Other related Links:
- For more information on static IP addresses, see http://compnetworking.about.com/od/workingwithipaddresses/qt/staticipaddress.htm.
Set the timezone in the FA VM
You must change the timezone in the FA VM if you are not in the (default) PST timezone otherwise the time stamp in your log files will not match the timezone within the VMware installation you are monitoring. To make this change, log in as user=splunkadmin
and password=changeme
. Replace the default by creating a link to the file /etc/localtime
.
1. Run the following command on the command line to see what timezone your system is set to:
date
2. In the Timezone folder, select the file that corresponds to your location and note the name of the folder and the file name for your timezone:
cd /usr/share/zoneinfo
3. Backup the existing localtime file:
sudo mv /etc/localtime /etc/localtime.bak
4. Create a link to the file /etc/localtime
. For example, to select the timezone for New York, use the command:
sudo ln -s /usr/share/zoneinfo/America/New_York /etc/localtime
5. To test that the correct time, date, and timezone are reported, run:
date
The output is:
Thu Jan 26 13:07:44 EST 2012
Other related links:
Change the NTP server pool list
The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. Most *Nix systems provide you with the ability to set up or change time synchronization.
Other related references: For more information about NTP and configuring NTP, see the following articles:
- http://en.wikipedia.org/wiki/Network_Time_Protocol
- http://linux.die.net/man/8/ntpd
- http://linux.die.net/man/5/ntp.conf
- http://linuxreviews.org/man/ntpd/
You can change the NTP servers that your FA VM uses by editing the /etc/ntp.conf
file.
The default values for the servers in /etc/ntp.conf
are:
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.centos.pool.ntp.org server 1.centos.pool.ntp.org server 2.centos.pool.ntp.org
To use different NTP servers, replace the default values in the file with your specific values. Restart ntpd for the changes to take effect.
sudo service ntpd restart
Disable NTP on the FA VM
If you do not have access to the internet you can disable NTP on the FA VM. This can happen when you are operating behind a firewall that precludes access to the Internet. If you disable NTP, re-enable VMware Tools Clock Synchronization which gets the FA's time from the underlying ESX/i host. Log in and execute the following commands as the splunkadmin
user.
- Stop ntpd service and configure it so that it does not run at system startup:
- Enable timesync:
- Check that timesync is enabled correctly:
sudo service ntpd stop sudo chkconfig ntpd off
vmware-toolbox-cmd timesync enable
vmware-toolbox-cmd timesync status
Install the FA VM | Install the Perl API package into the FA VM |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 2.0
Feedback submitted, thanks!