Splunk is one of the most powerful tool for exploring and searching data. It is one of the easiest, faster and secured way to search, analysis, collect and visualize massive data streams in realtime from applications, webservers, databases, server platforms, Cloud networks and many more. The Splunk developers are offering Splunk software packages compatible on different platforms, we can choose the best one which suits our purpose. This software makes it simple to collect, analyze and work upon the un broached value of massive data generated by any IT enterprise, security systems or any business applications, giving you total insights to obtain the best operational performance and business results.
There are no official pre-requisites for the installations, but I recommend a proper hostname, firewall and network configuration for the server prior to the installations. This software supports only 64 bit server architecture. In this article, I'm guiding you on how to install Splunk Enterprise version on a CentOS 7 server. Let's walk through the installation steps one by one.
1. Create a Splunk User
It is always recommended to run this application as its dedicated user rather than as root. I created a user to run this application and created an application folder for the installation.
[root@server1 tmp]# groupadd splunk [root@server1 tmp]# useradd -d /opt/splunk -m -g splunk splunk [root@server1 tmp]# su - splunk [splunk@server1 ~]$ id uid=1001(splunk) gid=1001(splunk) groups=1001(splunk) Confirm the server architecture [splunk@server1 ~]$ getconf LONG_BIT 64
2. Download and extract the Splunk Enterprise version
Create a Splunk account and download the Splunk software from their official website here.
Now extract the tar file and copy the files to the Splunk application folder namely /opt/splunk created.
root@server1 tmp]# tar -xvf splunk-6.4.0-f2c836328108-Linux-x86_64.tgz [root@server1 tmp]# cp -rp splunk/* /opt/splunk/ [root@server1 tmp]# chown -R splunk: /opt/splunk/
3. Splunk Installation
Once the Splunk software is downloaded, you can login to your Splunk user and run the installation script. I choose the trial license, so it will take it by default.
root@server1 tmp]# su - splunk Last login: Fri Apr 29 08:14:12 UTC 2016 on pts/0 [splunk@server1 ~]$ cd bin/ [splunk@server1 bin]$ ./splunk start --accept-license This appears to be your first time running this version of Splunk. Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'. Generating RSA private key, 1024 bit long modulus .++++++ ..................++++++ e is 65537 (0x10001) writing RSA key Generating RSA private key, 1024 bit long modulus ................++++++ ..++++++ e is 65537 (0x10001) writing RSA key Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'. Splunk> Australian for grep. Checking prerequisites... Checking http port : open Checking mgmt port : open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port : open Checking configuration... Done. Creating: /opt/splunk/var/lib/splunk Creating: /opt/splunk/var/run/splunk Creating: /opt/splunk/var/run/splunk/appserver/i18n Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css Creating: /opt/splunk/var/run/splunk/upload Creating: /opt/splunk/var/spool/splunk Creating: /opt/splunk/var/spool/dirmoncache Creating: /opt/splunk/var/lib/splunk/authDb Creating: /opt/splunk/var/lib/splunk/hashDb Checking critical directories... Done Checking indexes... Validated: _audit _internal _introspection _thefishbucket history main summary Done New certs have been generated in '/opt/splunk/etc/auth'. Checking filesystem compatibility... Done Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunk/splunk-6.4.0-f2c836328108-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Generating a 1024 bit RSA private key .....................++++++ ...........................++++++ writing new private key to 'privKeySecure.pem' ----- Signature ok subject=/CN=server1.centos7-test.com/O=SplunkUser Getting CA Private Key writing RSA key Done [ OK ] Waiting for web server at http://127.0.0.1:8000 to be available.... Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at http://server1.centos7-test.com:8000
Now you can access your Splunk Web interface at http://IP:8000/ or http://hostname:8000. You need to make sure this port 8000 is open in your server firewall.
4. Configuring Splunk Web Interface
I've completed with my installation and I've my Splunk Service up & running in my server. Now I need to set-up my Splunk Web interface. I accessed my Splunk web interface and set my administrator password.
First time when you're accessing the Splunk interface, you can use the user/password provided in the page which is admin/changeme in this case. Once logged in, on the very next page it will ask to change and confirm your new password.
Now, you've set your admin password. Once you log in with the new password, you will have your Splunk Dashboard ready to use.
There are different categories listed over in the home page. You can choose the required one and start splunking.
6. Adding a task
I'm adding an example for a simple task which is been added to the Splunk system. Just see my snapshots to understand how I added it. My task is to add /var/log folder to the Splunk system for monitoring.
- Open up the Splunk Web interface. Click on the Settings Tab >> Choose the Add Data option
2. The Add Data Tab opens up with three options: Upload, Monitor and Forward. Here our task is to monitor a folder, so we go ahead with Monitor.
In the Monitor option, there are four categories as below:
File & Directories : To monitor files/folders
HTTP Event Collector : Monitor data streams over HTTP
TCP/UDP : Monitor Service ports
Scripts : Monitor Scripts
3. According to our purpose, I choose the Files & Directories option.
4. Now, I'm choosing the exact folder path from the server to monitor. Once you confirm with the settings, you can click Next and Review.
5. Now you can start searching and monitoring the log file as required.
You can just see the logs been narrowed to one of my REDIS application on the server.
This is just a simple example for Splunking, you can add as many tasks to this and explore your server data. I hope this article is informative and useful for you. Thank you for reading this :) I recommend your valuable suggestions and comments on this. Now just try Splunk!!
Enjoy Splunking :)