Install Splunk

Environment

Debian 9.7 x64
Splunk 7.2.6

Excerpt

Log 2019 / 05

1. Pre

root@athos:~# apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade

wget -qO splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb \
'https://www.splunk.com/bin/splunk/DownloadActivityServlet?'\
'architecture=x86_64&platform=linux&version=7.2.6&product=splunk&'\
'filename=splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb&wget=true'

root@athos:~# wget -qO splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb \
> 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?'\
> 'architecture=x86_64&platform=linux&version=7.2.6&product=splunk&'\
> 'filename=splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb&wget=true'

wget -q 'https://download.splunk.com/products/splunk/releases/7.2.6/linux/'\
'splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb.md5'

root@athos:~# wget -q 'https://download.splunk.com/products/splunk/releases/7.2.6/linux/'\
> 'splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb.md5'

root@athos:~# echo $(cat splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb.md5) | md5sum -c -
splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb: OK

2. Install Splunk

root@athos:~# dpkg -i splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb
Selecting previously unselected package splunk.
(Reading database ... 29465 files and directories currently installed.)
Preparing to unpack splunk-7.2.6-c0bf0f679ce9-linux-2.6-amd64.deb ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Unpacking splunk (7.2.6) ...
Setting up splunk (7.2.6) ...
complete

root@athos:~# dpkg --status splunk
Package: splunk
Status: install ok installed
Maintainer: Splunk Inc. <info@splunk.com>
Architecture: amd64
Version: 7.2.6
Description: Splunk The platform for machine data.

root@athos:~# dpkg -L splunk | head
/.
/opt
/opt/splunk
/opt/splunk/README-splunk.txt
/opt/splunk/bin
/opt/splunk/bin/ColdStorageArchiver.py
/opt/splunk/bin/bloom
/opt/splunk/bin/bottle.py
/opt/splunk/bin/btool
/opt/splunk/bin/btprobe

3. Configure Path

root@athos:~# echo "export SPLUNK_HOME=/opt/splunk" >> ~/.bashrc

root@athos:~# source ~/.bashrc

4. Configure `user-seed.conf`

cat <<EOF > $SPLUNK_HOME/etc/system/local/user-seed.conf
[user_info]
USERNAME = admin
PASSWORD = password
EOF

root@athos:~# cat <<EOF > $SPLUNK_HOME/etc/system/local/user-seed.conf
> [user_info]
> USERNAME = admin
> PASSWORD = password
> EOF

5. Run

root@athos:~# $SPLUNK_HOME/bin/splunk start --no-prompt --accept-license

This appears to be your first time running this version of Splunk.
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to 
  '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
...........................................................................+++++
...........................................................................+++++
e is 65537 (0x10001)
writing RSA key

Generating RSA private key, 2048 bit long modulus
...........................................................................+++++
...........................................................................+++++
e is 65537 (0x10001)
writing RSA key

Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to 
  '/opt/splunk/share/splunk/search_mrsparkle/modules'.

Splunk> The IT Search Engine.

Checking prerequisites...
        Checking http port [8000]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration...  Done.
                Creating: /opt/splunk/var/lib/splunk
                Creating: /opt/splunk/var/run/splunk
                Creating: /opt/splunk/var/run/splunk/appserver/i18n
                Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
                Creating: /opt/splunk/var/run/splunk/upload
                Creating: /opt/splunk/var/spool/splunk
                Creating: /opt/splunk/var/spool/dirmoncache
                Creating: /opt/splunk/var/lib/splunk/authDb
                Creating: /opt/splunk/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunk/etc/auth'.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _internal _introspection _telemetry _thefishbucket 
                  history main summary
        Done
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from 
          '/opt/splunk/splunk-7.2.6-c0bf0f679ce9-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Generating a 2048 bit RSA private key
...........................................................................+++++
...........................................................................+++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=athos/O=SplunkUser
Getting CA Private Key
writing RSA key
Done


Waiting for web server at http://127.0.0.1:8000 to be available........ Done


If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://athos:8000

6. Configure Data Inputs

Settings > Data inputs > Local inputs (TCP/UDP, syslog port 514)

7. `systemd`

root@athos:~# $SPLUNK_HOME/bin/splunk enable boot-start -systemd-managed 1
Init script installed at /etc/systemd/system/.
Init script is configured to run at boot.

root@athos:~# systemctl status Splunkd.service
● Splunkd.service - Systemd service file for Splunk, generated by 
  'splunk enable boot-start'
   Loaded: loaded (/etc/systemd/system/Splunkd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-05-25 16:41:32 UTC; 3min 0s ago
 Main PID: 668 (splunkd)
    Tasks: 165 (limit: 4915)
   Memory: 822.2M (limit: 100.0G)
      CPU: 17.838s
   CGroup: /system.slice/Splunkd.service
           ├─ 668 splunkd --under-systemd --systemd-delegate=yes -p 8089 
           _internal_launch_under_systemd
           (truncated)

Hugo. Malte Kiefer & Zuhdi Najib.

Install Splunk

1. Pre

2. Install Splunk

3. Configure Path

4. Configure user-seed.conf

5. Run

6. Configure Data Inputs

7. systemd

4. Configure `user-seed.conf`

7. `systemd`