Splunk is a powerful Security Information and Event Management (SIEM) solution that collects, organizes, and visualizes machine-generated data. It’s often used for monitoring, analyzing, and securing logs from servers, applications, websites, and other systems. Below, we’ll guide you through the process of installing and configuring Splunk Enterprise on Linux (both CentOS and Debian/Ubuntu systems).
Step 1: Create a Splunk Account
Before installing Splunk, you’ll need to create an account on Splunk’s official website.
- Go to the Splunk website.
- Click on “Sign Up” or “Log In” to create an account.
- Once logged in, choose the Free Splunk option from the dashboard.
Step 2: Download Splunk
Splunk offers different installation packages based on the system you’re using. Here’s how to get the right one:
- For CentOS:
- Select Linux and download the .rpm file.
- For Debian/Ubuntu:
- Select Linux and download the .deb file.
After downloading, upload the file to your server using scp
(for Debian/Ubuntu) or your preferred method for CentOS.
Step 3: Install Splunk on Linux
Install on CentOS:
- SSH into your CentOS server.
- Install the Splunk RPM file:bash
rpm -i /path-to-file/splunk-versionnumber.rpm
- Continue with the Splunk setup process.
Install on Debian/Ubuntu:
- SSH into your Debian/Ubuntu server.
- Upload the Splunk
.deb
file to your server. - Install the Splunk DEB package:bash
dpkg -i splunk-versionnumber.deb
- Verify Splunk installation:bash
dpkg --status splunk
Step 4: Change Default Shell (Debian Only)
By default, Debian uses the dash shell, which may cause issues with Splunk. It’s recommended to switch to bash:
- Check your current shell:bash
which sh
- If it shows
/bin/sh
, change the default shell to bash:bashrm /bin/sh
ln -s /bin/bash /bin/sh
Step 5: Complete Splunk Setup
Once Splunk is installed, you’ll need to start the service and complete the setup:
- Start the Splunk service:bash
/opt/splunk/bin/splunk start
- Accept the license agreement by typing
y
and pressing Enter. - Create an administrator username and password (minimum 8 characters).
- Splunk will provide the URL to access the web interface:arduino
http://your-server-ip:8000
- Open port 8000 in your firewall to access the Splunk web interface.
Step 6: Log into Splunk Web Interface
Once Splunk is running, access the dashboard via the web interface:
- Use the server hostname or IP address with port 8000:arduino
http://serverhostname:8000
http://your-server-ip:8000
- Use the administrator username and password you created to log in.
Step 7: Resetting the Splunk Admin Password
If you forget your Splunk admin password, you’ll need to reset it manually:
- SSH into your server and navigate to the
/opt/splunk/etc
directory:bashcd /opt/splunk/etc
- Rename the
passwd
file:bashmv passwd passwd.backup
- Go to the local directory:bash
cd ../system/local
- Create and edit the
user-seed.conf
file:bashnano user-seed.conf
- Add the following content to create a new admin username and password:bash
[user_info]
USERNAME = admin
PASSWORD = NewPassword123!
- Save and exit, then restart Splunk:bash
/opt/splunk/bin/splunk restart
- Log into the web interface using the new credentials.
Step 8: Monitoring Data in Splunk
Now, you can start monitoring logs and data within Splunk:
- Log into the Splunk web interface.
- Click Add Data.
- Select Monitor, then Files & Directories.
- Browse to the file or directory you want to monitor (e.g.,
/var/log/auth.log
for login attempts). - Choose Continuously Monitor to display real-time updates.
- Click Next and select the appropriate Source Type (e.g.,
linux_secure
). - Review your settings and click Submit to start monitoring.
Step 9: Installing Splunk Apps
Splunk offers many apps to extend functionality. You can install them from Splunkbase or directly from the Splunk dashboard:
Install from Splunk Dashboard:
- From the homepage, click Find More Apps on the left.
- Search for the app you want to install.
- Click Install and provide your Splunk.com credentials.
- After installation, restart Splunk if prompted.
Install Manually:
- Visit Splunkbase, find the app, and download the
.tgz
file. - In your Splunk dashboard, go to Apps > Manage Apps, then click Install App from File.
- Upload the app file and restart Splunk.
Conclusion
By following these steps, you’ve successfully installed and configured Splunk Enterprise on your Linux server. You can now begin monitoring logs and data to enhance security and gain valuable insights into your system’s operations. Splunk’s powerful features, such as the ability to install custom apps, allow you to tailor the tool to meet the specific needs of your environment.