This guide describes the installation process for a Splunk infrastructure comprised of a Splunk Enterprise instance as indexer and a Splunk Forwarder node, as well as the Wazuh app for Splunk.
The Wazuh app for Splunk requires the installation of a Wazuh manager and Wazuh API in order to work properly. Check out the installation guide before proceeding with Splunk.
These are the two main components in a common Splunk simple distributed architecture:
- Splunk Forwarder: This component runs on the Wazuh manager and Wazuh API instance, it reads local data and sends it to the Indexer. It will send alerts generated by Wazuh manager to a Splunk Indexer.
- Splunk Indexer: This component runs the Splunk engine. It reads forwarded data, parses, indexes and stores it as events that contain alert data generated by Wazuh manager sent by the Forwarder instance.
On Linux systems, the Splunk installation procedure requires a 64-bit version of the operating system.
Although Splunk can be installed on different OS, the Splunk app is only compatible with Linux systems.