Overview
Splunk Enterprise is a software platform to search, analyze,
and visualize the machine-generated data gathered from the websites,
applications, sensors, devices, and so on, that comprise your IT infrastructure
or business.
After you define the data source, Splunk Enterprise indexes
the data stream and parses it into a series of individual events that you can
view and search.
You can use the search processing language or the
interactive pivot feature to create reports and visualizations.
Splunk has different editions to download. To demonstrate
download, install and configure these options on free edition.
Applies To
Tested on RHEL 7.
Pre-Requisites
·
64 Bit
OS, 6.3.1 only on kernel version 2.6 and 3.0 ; 32 bit versions have been deprecated.
Installation and Configuration procedure
First of all, we will check if the package is already
installed else we will install the packages.
Check Package
Check if the package is already installed, to check package
installation status, run the command;
rpm -qa | grep splunk*
Download Package
After registering the splunk website, click on download the
package, to download from cli run the utility command;
wget
http://download.splunk.com/products/splunk/releases/6.3.1/splunk/linux/splunk-6.3.1-f3e41e4b37b2-linux-2.6-x86_64.rpm
Note: We are
downloading “Free Splunk” edition.
Install Package
After downloading the package change the package permission
and Install the package, to install run the command;
Note: user and
group id for splunk will be created automatically.
chmod 744 splunk-6.3.1-f3e41e4b37b2-linux-2.6-x86_64.rpm
rpm -i --prefix=/opt
splunk-6.3.1-f3e41e4b37b2-linux-2.6-x86_64.rpm
Verify Installation
After installing the splunk package verify if the package is
installed, to check package installation status, run the command;
rpm -qa | grep splunk*
Firewall Configuration
Splunk application works on TCP port “8000” and this port needs to be opened in order to listen and
launch the management portal. On AWS these steps are not required. For
demonstration purpose we will configure it.
Firewall Configuration – Open TCP Port
After installing and checking the default configuration, the
next step that needs to be done is to open firewall port, it runs on tcp port 8000.
firewall-cmd --permanent
--add-port=8000/tcp
Firewall Configuration – Reload
Reload the firewall configuration.
firewall-cmd --reload
Firewall Configuration – List
After reloading firewall daemon, list the current rules set.
firewall-cmd --list-all
Splunk – Configuration File
Default configuration file , run command;
grep -v "^$"
/opt/splunk/etc/splunk-launch.conf | grep -v '^ *#'
Default Configuration File – Snippet
SPLUNK_HOME=/opt/splunk
SPLUNK_SERVER_NAME=Splunkd
SPLUNK_WEB_NAME=splunkweb
Start First Time
Switch to Splunk User
Splunk application is installed with splunk user and group
id, hence we need to switch to user “splunk”
to start the application. Upon starting application for the first time you need
to accept the license agreement.
sudo su - splunk
Start Splunk
cd /opt/splunk/bin
./splunk start
Alternatively, you can accept the license information from
the start command itself, run the below command;
splunk start --answer-yes --no-prompt --accept-license
Accept License
Accept the license agreement to continue with the RSA Key
generation.
Web Interface URL
After configuring the splunk application, web interface is
configured and bind to hostname and port 8000.
Launch Portal
Launch the portal from the browser.
After installing you can launch the admin portal from the
browser, admin password has to be changed when you launch it for the first
time. Enter the default user “admin”
and default password “changeme” and
click on “Sign in” button.
New Password
After sign in, you will have to set new password and confirm
the new password again for the admin user and click on “Save Password” button, to launch the default page.
Dashboard
After setting the new password, you will be redirected to main webpage.
Slideshare Information
A step by step guide to install and configure is uploaded.
No comments:
Post a Comment