Install and configure Splunk

The Splunk components must be installed and configured to use the Wazuh Splunk app. The Splunk installation architecture is dependent on the architecture of the Wazuh manager.

• Install Splunk in an all-in-one architecture: In an all-in-one architecture, the forwarder, Splunk enterprise instance, the Wazuh app for Splunk, and the Wazuh manager are installed on one server.

• Install Splunk in a distributed architecture: In a distributed architecture, the Wazuh manager and Splunk enterprise are installed on different servers. There are two options for using the distributed architecture:

  • Install a minimal Splunk distributed architecture: In a minimal distributed architecture, the forwarder is installed on the same server as the Wazuh manager. The forwarder must point to the Splunk Enterprise instance where the Wazuh app was installed.

    Note

    This installation architecture is used when you have a single Wazuh manager node.

  • Install Splunk in a multi-instance cluster: In a multi-instance cluster, the forwarder is installed on the same server as the Wazuh manager and must point to the search peers (or indexers).

    Note

    This installation architecture is used when the Wazuh manager is installed as a cluster.