This document will guide you through the installation process for a single-instance distributed architecture, recommended for testing and evaluation purposes, or also for small-medium sized environments.
Many of the commands described below need to be executed with root user privileges.
These are the two main components in this type of distributed architecture:
The indexer runs the Splunk engine. It reads forwarded data, parses, indexes and stores it as events that contain alert data generated by Wazuh manager sent by the Forwarder instance.
The forwarder runs on the Wazuh manager and Wazuh API instance, it reads local data and sends it to the indexer.
This documentation will install Splunk using the single-instance deployment schema. If you want a more advanced installation, check out the multi-instance deployment schema.
This component works receiving the data flow streamed by a forwarder and stores it in a Splunk index.
Download Splunk v7.2.1 package from its official website.
Splunk is not open source software and it requires a registered user and license in order to work. You can also use a free trial license.
Install the Splunk v7.2.1 package:
For RPM based distributions:# yum install splunk-enterprise-package.rpm
For Debian/Ubuntu distributions:# dpkg --install splunk-enterprise-package.deb
Ensure Splunk v7.2.1 is installed in
/opt/splunkand start the service:
# /opt/splunk/bin/splunk start
You will be prompted for a name and password for the administrator user.
After this step the Splunk Web service will be listening to port 8000. You can browse
http://<your-instance-ip>:8000in order to access the Web GUI.
Optional. If you additionally want the Splunk service to start at boot time, please execute the following command:
# /opt/splunk/bin/splunk enable boot-start
Now that you've finished installing Splunk on a single-instance mode, you can proceed with the next step and install the Wazuh app for Splunk.