Install Splunk Enterprise on Linux
In this blog post, I will explain how to install Splunk on Linux. Splunk is a big data solution with the goal of analyzing high volumes of machine-generated data. Splunk is used in many Security Operations Center (SOC) as a central log management tool. With a little bit tuning or by using Splunk Enterprise Security, Splunk can be used as a Security Information and Event Management (SIEM) tool.
In order to be able to download Splunk Enterprise, an account on the Splunk Website is needed.
After creating a Splunk account, you can download Splunk Enterprise under the following link:
https://www.splunk.com/en_us/download/splunk-enterprise.html
Choose the rpm version for Linux.
Splunk is designed for high volume of machine data. Therefore, Splunk is divided in different components, which are deployed in separate machines. For a small deployment, Splunk can be deployed as a single instance. In this tutorial, we will deploy Splunk as a single instance on a CentOS 7 virtual machine (VM). The VM has 8 vCPUs, 16GB RAM and 500GB HDD.
Before installing Splunk Enterprise, we will create some firewall rules. We need a firewall rule for port 8000 (Splunk Web Port), 8089 (Splunk Management Port) and 9997 (Splunk Indexing Port):
firewall-cmd --add-port=8000/tcp --permanent
firewall-cmd --add-port=8089/tcp --permanent
firewall-cmd --add-port=9997/tcp --permanent
firewall-cmd --reload
The rpm file is made executable:
chmod 755 splunk-7.2.3-06d57c595b80-linux-2.6-x86_64.rpm
Then, we are able to install Splunk Enterprise by running the following command as root:
rpm -i splunk-7.2.3-06d57c595b80-linux-2.6-x86_64.rpm
Splunk is installed under /opt/splunk with a dedicated splunk user. We will switch to splunk user, because we want Splunk to run as a non-root user:
su - splunk
We start Splunk with the following command:
/opt/splunk/bin/splunk start --accept-license
You have to specify an admin account name and an admin password. In order to enable autostart for Splunk, we need to run the following command as root user:
/opt/splunk/bin/splunk enable boot-start -user splunk
After installing Splunk Enterprise, we can access Splunk using your favourite browser with the follwing url:
http://splunk.patrick-bareiss.local:8000
You can login into splunk with the specified admin account and password:
Thank you for reading. Have fun with your new Splunk environment.
Hi Patrick, wirklich gut geschrieben.
Hi Patrick,
Please include an update instruction of Splunk as well.
Thanks,
Mirko