This document will guide you through the installation process for a single-instance distributed architecture, recommended for testing and evaluation purposes, or also for small-medium sized environments.
Many of the commands described below need to be executed with root user privileges.
These are the two main components in this type of distributed architecture:
The indexer runs the Splunk engine. It reads forwarded data, parses, indexes and stores it as events that contain alert data generated by Wazuh manager sent by the Forwarder instance.
The forwarder runs on the Wazuh manager and Wazuh API instance, it reads local data and sends it to the indexer.
This documentation will install Splunk using the single-instance deployment schema. If you want a more advanced installation, check out the multi-instance deployment schema.
This component works receiving the data flow streamed by a forwarder and stores it in a Splunk index.
Download Splunk v8.0.4 package from its official website.
Splunk is not open source software and it requires a registered user and license in order to work. You can also use a free trial license.
Install the Splunk v8.0.4 package:
For RPM based distributions:
# yum install splunk-enterprise-package.rpm
For Debian/Ubuntu distributions:
# dpkg --install splunk-enterprise-package.deb
# curl -so /opt/splunk/etc/system/local/indexes.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.13.6/extensions/splunk/peer-indexes.conf
# curl -so /opt/splunk/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.13.6/extensions/splunk/peer-inputs.conf
Ensure Splunk v8.0.4 is installed in
/opt/splunkand start the service:
# /opt/splunk/bin/splunk start
Optional. If you additionally want the Splunk service to start at boot time, please execute the following command:
# /opt/splunk/bin/splunk enable boot-start
Now that you've finished installing Splunk on a single-instance mode, you can proceed with the next step and install the Wazuh app for Splunk.