This guide describes how to install Splunk Enterprise as an all-in-one installation with the Splunk forwarder and the Wazuh app for Splunk on one server, or as a distributed installation where the Wazuh manager and Splunk components are installed on different servers.
All-in-one installation: This will install the Splunk indexer, the Splunk forwarder, the Wazuh app for Splunk, and the Wazuh manager on one server. This is suitable for test environments.
Distributed installation: This will install the Splunk forwarder and the Wazuh manager on one server while the rest of the Splunk components are installed on different servers. There are two options for using the distributed architecture:
Minimal Splunk distributed installation: This guide will install the Splunk indexer and the Wazuh app for Splunk on one server, while the Splunk forwarder, and the Wazuh manager are installed on another server.
Multi-instance cluster installation: This will install a Wazuh manager cluster to be used with a Splunk cluster. It is recommended to replicate data along different indexes and make distributed searches.
To learn more about how Splunk works, see the Splunk documentation. Additionally, you can check the Splunk Distributed Deployment Manual to learn how to scale your environments using Splunk Enterprise.
On Linux systems, the Splunk software requires a 64-bit version of the operating system. Although Splunk can be installed on different OS, the Splunk app is only compatible with Linux systems.
- Wazuh manager installation
- Install and configure Splunk
- Install the Wazuh app for Splunk
- Set up reverse proxy configuration for Splunk
- Customize agents status indexation
- Create and map internal users (RBAC)