WireShark is an invaluable tool in recording and reviewing network traffic, it was previously known as Ethereal and is available for a variety of platforms.
Installation can sometimes be hard to remember as use by non-superusers requires additional configuration in Linux.
- Add the repository and install:
sudo add-apt-repository ppa:wireshark-dev/stable
sudo apt-get update
sudo apt-get install wireshark
- During installation, the following will appear, chose "Yes" for most instances.
Should non-super users be able to capture packets - Yes / No?
- If you need to change the value you selected, you can always re-run the following:
- Add the user to the
wireshark group so that they can capture traffic:
add user to group:
sudo usermod -a -G wireshark username
- If you need additional information, you can always RTFM:
sudo vi /usr/share/doc/wireshark-common/README.Debian.
I’ve found New Relic to be a great free addition to my suite of tools for server monitoring and alerting as I shifted to a DevOps support environment.
Installation is very fast an simple once you’ve created a free accound. Paid options are available and allow for more features.
You will need to record/save YOUR_LICENSE_KEY from your account for step 5 below.
sudo sh -c 'echo deb http://apt.newrelic.com/debian/ newrelic non-free > /etc/apt/sources.list.d/newrelic.list'
wget -O- https://download.newrelic.com/548C16BF.gpg | sudo apt-key add -
sudo apt-get update
sudo apt-get install newrelic-sysmond
sudo nrsysmond-config --set license_key=YOUR_LICENSE_KEY
sudo /etc/init.d/newrelic-sysmond start
You are done! Within a few minutes you should start seeing data on your consoles at the New Relic website.
After a while it can get tedious to access and review server logs via the command line. There are several tools available that can provide the same information in a graphical manner. Recently I’ve migrated to Splunk as there are both Enterprise and Free versions available.
- Of course, you’ll need a Splunk server installed first, as the forwarder is really just another (lighter) instance that will forward the log information to a central location.
- Download the system appropriate installer from:
- Check to see if you are running 32 or 64 bit OS.
uname -aIf you see i686 you are 32 bit, if x86_64 you are 64 bit!
- Download, you’ll likely need a different version:
sudo dpkg -i splunkforwarder-6.1.3-220630-linux-2.6-intel.deb
sudo dpkg -i splunkforwarder-6.1.3-220630-linux-2.6-amd64.deb
- Enable auto-start on reboot:
sudo ./splunk enable boot-start
- Start the server:
sudo service splunk start
- Set the password:
The default ‘
admin‘ password is ‘
changeme‘ so we need to change it immediately to do anything else, or we will see errors in future steps.
sudo /opt/splunkforwarder/bin/splunk edit user admin -password YOUR_NEW_PASSWORD -auth admin:changeme
- Set the server:
sudo /opt/splunkforwarder/bin/splunk add forward-server YOUR_SERVER_ADDRESS:9997
NOTE: if you get prompted for a splunk username/password you likely skipped the above step. Remember – the forwarder is a new ‘light’ installation of the server and as such has it’s own users!
- Enable some monitors on the box:Some common services and log locations to get you started…
- Apache2 HTTPd
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/apache2 -index main -sourcetype Apache2
sudo /opt/splunkforwarder/bin/splunk add monitor /opt/tomcat7/logs -index main -sourcetype Tomcat7
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mysql -index main -sourcetype MySQL
- Postfix (SMTP)
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mail.log -index main -sourcetype Postfix
- Squid3 (Proxy)
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/squid/access.log -index main -sourcetype Squid3
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/squid/cache.log -index main -sourcetype Squid3
sudo /opt/splunkforwarder/bin/splunk add monitor /opt/sonar/logs -index main -sourcetype Sonar
- (OPTIONAL) Verify configuration by opening file at the following:
- You now should be able to log into your server and see new data flowing from the forwarder.
NOTE: this requires you to enable ‘receiving’ of data on the port specified above, usually 9997.