Install Splunk in single-instance mode

This document will guide you through the installation process for a single-instance distributed architecture, recommended for testing and evaluation purposes, or also for small-medium sized environments.

Note

Many of the commands described below need to be executed with root user privileges.

These are the two main components in this type of distributed architecture:

  • The indexer runs the Splunk engine. It reads forwarded data, parses, indexes and stores it as events that contain alert data generated by Wazuh manager sent by the Forwarder instance.

  • The forwarder runs on the Wazuh manager and Wazuh API instance, it reads local data and sends it to the indexer.

Warning

This documentation will install Splunk using the single-instance deployment schema. If you want a more advanced installation, check out the multi-instance deployment schema.

Install Splunk Indexer

This component works receiving the data flow streamed by a forwarder and stores it in a Splunk index.

  1. Download Splunk v8.0.4 package from its official website.

    Note

    Splunk is not open source software and it requires a registered user and license in order to work. You can also use a free trial license.

  2. Install the Splunk v8.0.4 package:

    1. For RPM based distributions:

    # yum install splunk-enterprise-package.rpm
    
    1. For Debian/Ubuntu distributions:

    # dpkg --install splunk-enterprise-package.deb
    
  3. Configure inputs.conf and indexes.conf:

    1. Create indexes.conf:

    # curl -so /opt/splunk/etc/system/local/indexes.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.13.6/extensions/splunk/peer-indexes.conf
    
    1. Create ìnputs.conf:

    # curl -so /opt/splunk/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.13.6/extensions/splunk/peer-inputs.conf
    
  4. Ensure Splunk v8.0.4 is installed in /opt/splunk and start the service:

    # /opt/splunk/bin/splunk start
    
  5. Optional. If you additionally want the Splunk service to start at boot time, please execute the following command:

    # /opt/splunk/bin/splunk enable boot-start
    

Now that you've finished installing Splunk on a single-instance mode, you can proceed with the next step and install the Wazuh app for Splunk.