Try Us Free for 30 Days – Your Wallet Can Thank Us Later!

Try Us Free for 30 Days – Your Wallet Can Thank Us Later!

How to Install Splunk on Linux – Complete Setup Guide

Splunk is a powerful Security Information and Event Management (SIEM) solution that collects, organizes, and visualizes machine-generated data. It’s often used for monitoring, analyzing, and securing logs from servers, applications, websites, and other systems. Below, we’ll guide you through the process of installing and configuring Splunk Enterprise on Linux (both CentOS and Debian/Ubuntu systems).


Step 1: Create a Splunk Account

Before installing Splunk, you’ll need to create an account on Splunk’s official website.

  1. Go to the Splunk website.
  2. Click on “Sign Up” or “Log In” to create an account.
  3. Once logged in, choose the Free Splunk option from the dashboard.

Step 2: Download Splunk

Splunk offers different installation packages based on the system you’re using. Here’s how to get the right one:

  • For CentOS:
    • Select Linux and download the .rpm file.
  • For Debian/Ubuntu:
    • Select Linux and download the .deb file.

After downloading, upload the file to your server using scp (for Debian/Ubuntu) or your preferred method for CentOS.


Step 3: Install Splunk on Linux

Install on CentOS:

  1. SSH into your CentOS server.
  2. Install the Splunk RPM file:
    bash
    rpm -i /path-to-file/splunk-versionnumber.rpm
  3. Continue with the Splunk setup process.

Install on Debian/Ubuntu:

  1. SSH into your Debian/Ubuntu server.
  2. Upload the Splunk .deb file to your server.
  3. Install the Splunk DEB package:
    bash
    dpkg -i splunk-versionnumber.deb
  4. Verify Splunk installation:
    bash
    dpkg --status splunk

Step 4: Change Default Shell (Debian Only)

By default, Debian uses the dash shell, which may cause issues with Splunk. It’s recommended to switch to bash:

  1. Check your current shell:
    bash
    which sh
  2. If it shows /bin/sh, change the default shell to bash:
    bash
    rm /bin/sh
    ln -s /bin/bash /bin/sh

Step 5: Complete Splunk Setup

Once Splunk is installed, you’ll need to start the service and complete the setup:

  1. Start the Splunk service:
    bash
    /opt/splunk/bin/splunk start
  2. Accept the license agreement by typing y and pressing Enter.
  3. Create an administrator username and password (minimum 8 characters).
  4. Splunk will provide the URL to access the web interface:
    arduino
    http://your-server-ip:8000
  5. Open port 8000 in your firewall to access the Splunk web interface.

Step 6: Log into Splunk Web Interface

Once Splunk is running, access the dashboard via the web interface:

  • Use the server hostname or IP address with port 8000:
    arduino
    http://serverhostname:8000
    http://your-server-ip:8000
  • Use the administrator username and password you created to log in.

Step 7: Resetting the Splunk Admin Password

If you forget your Splunk admin password, you’ll need to reset it manually:

  1. SSH into your server and navigate to the /opt/splunk/etc directory:
    bash
    cd /opt/splunk/etc
  2. Rename the passwd file:
    bash
    mv passwd passwd.backup
  3. Go to the local directory:
    bash
    cd ../system/local
  4. Create and edit the user-seed.conf file:
    bash
    nano user-seed.conf
  5. Add the following content to create a new admin username and password:
    bash
    [user_info]
    USERNAME = admin
    PASSWORD = NewPassword123!
  6. Save and exit, then restart Splunk:
    bash
    /opt/splunk/bin/splunk restart
  7. Log into the web interface using the new credentials.

Step 8: Monitoring Data in Splunk

Now, you can start monitoring logs and data within Splunk:

  1. Log into the Splunk web interface.
  2. Click Add Data.
  3. Select Monitor, then Files & Directories.
  4. Browse to the file or directory you want to monitor (e.g., /var/log/auth.log for login attempts).
  5. Choose Continuously Monitor to display real-time updates.
  6. Click Next and select the appropriate Source Type (e.g., linux_secure).
  7. Review your settings and click Submit to start monitoring.

Step 9: Installing Splunk Apps

Splunk offers many apps to extend functionality. You can install them from Splunkbase or directly from the Splunk dashboard:

Install from Splunk Dashboard:

  1. From the homepage, click Find More Apps on the left.
  2. Search for the app you want to install.
  3. Click Install and provide your Splunk.com credentials.
  4. After installation, restart Splunk if prompted.

Install Manually:

  1. Visit Splunkbase, find the app, and download the .tgz file.
  2. In your Splunk dashboard, go to Apps > Manage Apps, then click Install App from File.
  3. Upload the app file and restart Splunk.

Conclusion

By following these steps, you’ve successfully installed and configured Splunk Enterprise on your Linux server. You can now begin monitoring logs and data to enhance security and gain valuable insights into your system’s operations. Splunk’s powerful features, such as the ability to install custom apps, allow you to tailor the tool to meet the specific needs of your environment.

Picture of Ramandeep Singh Sethi

Ramandeep Singh Sethi

Hello, I’m Ramandeep Singh Sethi a Public Speaker, Entrepreneur, Philanthropist, and the CEO & Founder of three pioneering technology companies: Hydizo Global Solutions, 1Only Host, and Leadtuts.
Share the Post:

Related Posts

Scroll to Top