Install Splunk in single-instance mode

This document will guide you through the installation process for a single-instance multitier server, recommended for testing and evaluation purposes, or also for small-medium sized environments.

Note

Many of the commands described below need to be executed with root user privileges.

These are the two main components in this type of multitier server:

  • The indexer runs the Splunk engine. It reads forwarded data, parses, indexes and stores it as events that contain alert data generated by Wazuh manager sent by the Forwarder instance.

  • The forwarder runs on the Wazuh manager and the Wazuh API instance, it reads local data and sends it to the indexer.

Warning

This documentation will install Splunk using the single-instance deployment schema. If you want a more advanced installation, check out the multi-instance deployment schema.

Install Splunk Indexer

This component works receiving the data flow streamed by a forwarder and stores it in a Splunk index.

  1. Download Splunk v8.1.3 package from its official website.

    Note

    Splunk is not open source software and it requires a registered user and license in order to work. You can also use a free trial license.

  2. Install the Splunk v8.1.3 package:

    1. For RPM based distributions:

    # yum install splunk-enterprise-package.rpm
    
    1. For Debian/Ubuntu distributions:

    # dpkg --install splunk-enterprise-package.deb
    
  3. Configure inputs.conf and indexes.conf:

    1. Create indexes.conf:

    # curl -so /opt/splunk/etc/system/local/indexes.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v4.2.1-8.1.3/setup/indexer/indexes.conf
    
    1. Create ìnputs.conf:

    # curl -so /opt/splunk/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v4.2.1-8.1.3/setup/indexer/inputs.conf
    
  4. Ensure Splunk v8.1.3 is installed in /opt/splunk and start the service:

    # /opt/splunk/bin/splunk start
    
  5. Optional. If you additionally want the Splunk service to start at boot time, please execute the following command:

    # /opt/splunk/bin/splunk enable boot-start
    

Now that you’ve finished installing Splunk on a single-instance mode, you can proceed with the next step and install the Wazuh app for Splunk.