Install Splunk in single-instance mode¶
This document will guide you through the installation process for a single-instance distributed architecture, recommended for testing and evaluation purposes, or also for small-medium sized environments.
Many of the commands described below need to be executed with root user privileges.
These are the two main components in this type of distributed architecture:
- The indexer runs the Splunk engine. It reads forwarded data, parses, indexes and stores it as events that contain alert data generated by Wazuh manager sent by the Forwarder instance.
- The forwarder runs on the Wazuh manager and Wazuh API instance, it reads local data and sends it to the indexer.
This documentation will install Splunk using the single-instance deployment schema. If you want a more advanced installation, check out the multi-instance deployment schema.
Install Splunk Indexer¶
This component works receiving the data flow streamed by a forwarder and stores it in a Splunk index.
Download Splunk v8.0.0 package from its official website.
Splunk is not open source software and it requires a registered user and license in order to work. You can also use a free trial license.
Install the Splunk v8.0.0 package:
- For RPM based distributions:
# yum install splunk-enterprise-package.rpm
- For Debian/Ubuntu distributions:
# dpkg --install splunk-enterprise-package.deb
# curl -so /opt/splunk/etc/system/local/indexes.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.10.2/extensions/splunk/peer-indexes.conf
# curl -so /opt/splunk/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.10.2/extensions/splunk/peer-inputs.conf
Ensure Splunk v8.0.0 is installed in
/opt/splunkand start the service:
Optional. If you additionally want the Splunk service to start at boot time, please execute the following command:
# /opt/splunk/bin/splunk enable boot-start
Now that you’ve finished installing Splunk on a single-instance mode, you can proceed with the next step and install the Wazuh app for Splunk.