Logging Splunk

Installing Splunk on Ubuntu 21.10 impish

Reading Time: 3 minutes

So you have decided to install Splunk? You are going to need a few thinks. This walk through is going to discuss installing Splunk on Ubuntu. Although it hardly matters. The details will very if you are die hard Cent or Red Hat.

I would recommend preparing your Linux flavor upfront. All your standard preparation guidelines should apply. Make sure the OS is up to date. Make sure it’s NTP is set and up to date.

Just a Note: For Splunk your might go with 4 vCPU, 4 G of memory and 50G of drive space. The default 16G of VMware won’t cut it as you will run out of space quick. If you run below the limits the system will stop indexing.

You will need to go to splunk.com, create an account, and login.

You are going to want to go to the site. In order to download the package you are going to need to sign up for an account. Older versions of the product danced a little around the idea of the “Enterprise” version of the product and the “Free” version. As may have been outlined before – the free Version is the Enterprise version basically without a license. This does limit you in a number of ways.

https://www.splunk.com/en_us/download.html

The first move is probably just to move to the tmp directory. We can pull the package and install it from there.

cd /tmp

For the “Linux” versions they are going to provide you with a convient way of using wget to pull the package from the CLII

wget -O splunk-8.2.5-77015bc7a462-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/8.2.5/linux/splunk-8.2.5-77015bc7a462-linux-2.6-amd64.deb"
dpkg -i splunk-8.2.5-77015bc7a462-linux-2.6-amd64.deb

This will take a while to unpack and install. The splunk package will be installed in /opt/splunk. So the next thing we need to do is to kick start splunk which will also trigger the license acknowledgement.

sudo /opt/splunk/bin/splunk enable boot-start

You are now ready to start splunk!

sudo service splunk start

Now you are ready to login for the first time. Please vist the URL using your address or name using http and using port 8000

You no doubt will be enticed to discuss a storage engine which will be optimized to compress and store data.

Congratulations you now have Splunk installed.

While you are downloading items, you may want to go ahead and download the Splunk Universal Forwarder.

https://www.splunk.com/en_us/download/universal-forwarder.html

With Splunk running you are now ready to consider how to “log” some data. And now that you have data you can decide what you are going to do with it. Please see Some of the other short posts for this.

Reference:
https://www.bitsioinc.com/tutorials/install-splunk-ubuntu/
https://en.wikipedia.org/wiki/Splunk

Related posts

Python – code to emit syslog message.

Tom Hamilton

Splunk and SYSLOG

Tom Hamilton

QRadar logging Microsoft Security Event Log over MSRPC

user