Loading…

IT Security Blog

Click the button below to start exploring my website
Start exploring

Install Splunk Enterprise on Linux

In this blog post, I will explain how to install Splunk on Linux. Splunk is a big data solution with the goal of analyzing high volumes of machine-generated data. Splunk is used in many Security Operations Center (SOC) as a central log management tool. With a little bit tuning or by using Splunk Enterprise Security, Splunk can be used as a Security Information and Event Management (SIEM) tool.

In order to be able to download Splunk Enterprise, an account on the Splunk Website is needed.

https://www.splunk.com

After creating a Splunk account, you can download Splunk Enterprise under the following link:

https://www.splunk.com/en_us/download/splunk-enterprise.html

Choose the rpm version for Linux.

Splunk is designed for high volume of machine data. Therefore, Splunk is divided in different components, which are deployed in separate machines. For a small deployment, Splunk can be deployed as a single instance. In this tutorial, we will deploy Splunk as a single instance on a CentOS 7 virtual machine (VM). The VM has 8 vCPUs, 16GB RAM and 500GB HDD.

Before installing Splunk Enterprise, we will create some firewall rules. We need a firewall rule for port 8000 (Splunk Web Port), 8089 (Splunk Management Port) and 9997 (Splunk Indexing Port):

firewall-cmd --add-port=8000/tcp --permanent
firewall-cmd --add-port=8089/tcp --permanent
firewall-cmd --add-port=9997/tcp --permanent
firewall-cmd --reload

The rpm file is made executable:

chmod 755 splunk-7.2.3-06d57c595b80-linux-2.6-x86_64.rpm

Then, we are able to install Splunk Enterprise by running the following command as root:

rpm -i splunk-7.2.3-06d57c595b80-linux-2.6-x86_64.rpm

Splunk is installed under /opt/splunk with a dedicated splunk user. We will switch to splunk user, because we want Splunk to run as a non-root user:

su - splunk

We start Splunk with the following command:

/opt/splunk/bin/splunk start --accept-license

You have to specify an admin account name and an admin password. In order to enable autostart for Splunk, we need to run the following command as root user:

/opt/splunk/bin/splunk enable boot-start -user splunk

After installing Splunk Enterprise, we can access Splunk using your favourite browser with the follwing url:

http://splunk.patrick-bareiss.local:8000

You can login into splunk with the specified admin account and password:

Thank you for reading. Have fun with your new Splunk environment.

2 thoughts on “Install Splunk Enterprise on Linux

Comments are closed.