Installing Wazuh with Splunk
This guide describes how to install Splunk Enterprise as an all-in-one installation with the Splunk forwarder and the Wazuh app for Splunk on one server, or as a distributed installation where the Wazuh manager and Splunk components are installed on different servers.
All-in-one installation: This will install the Splunk indexer, the Splunk forwarder, the Wazuh app for Splunk, and the Wazuh manager on one server. This is suitable for test environments.
Distributed installation: This will install the Splunk forwarder and the Wazuh manager on one server while the rest of the Splunk components are installed on different servers. There are two options for using the distributed architecture:
Minimal Splunk distributed installation: This guide will install the Splunk indexer and the Wazuh app for Splunk on one server, while the Splunk forwarder, and the Wazuh manager are installed on another server.
Multi-instance cluster installation: This will install a Wazuh manager cluster to be used with a Splunk cluster. It is recommended to replicate data along different indexes and make distributed searches.
To learn more about how Splunk works, see the Splunk documentation. Additionally, you can check the Splunk Distributed Deployment Manual to learn how to scale your environments using Splunk Enterprise.
Note
On Linux systems, the Splunk software requires a 64-bit version of the operating system. Although Splunk can be installed on different OS, the Splunk app is only compatible with Linux systems.
Compatibility matrix
The following table shows the Splunk versions compatible with the Wazuh manager 4.4.5 using the Wazuh Splunk app 4.4.5:
Splunk |
|---|
8.1.1 – 8.1.10 |
8.2.0 – 8.2.8 |
Packages list
The following table contains the Wazuh Splunk app files for each Splunk minor compatible with Wazuh 4.4.5:
Splunk version |
Package |
|---|---|
8.1* |
|
8.2 |
* The Wazuh Splunk app is not compatible with Splunk 8.1.0.