Install Splunk in single-instance mode¶
This document will guide you through the installation process for a single-instance distributed architecture, recommended for testing and evaluation purposes, or also for small-medium sized environments.
Many of the commands described below need to be executed with root user privileges.
These are the two main components in this type of distributed architecture:
- The indexer runs the Splunk engine. It reads forwarded data, parses, indexes and stores it as events that contain alert data generated by Wazuh manager sent by the Forwarder instance.
- The forwarder runs on the Wazuh manager and Wazuh API instance, it reads local data and sends it to the indexer.
This documentation will install Splunk using the single-instance deployment schema. If you want a more advanced installation, check out the multi-instance deployment schema.
Install Splunk Indexer¶
This component works receiving the data flow streamed by a forwarder and stores it in a Splunk index.
- Download Splunk v7.2.3 package from its official website.
Splunk is not open source software and it requires a registered user and license in order to work. You can also use a free trial license.
- Install the Splunk v7.2.3 package:
- For RPM based distributions:# yum install splunk-enterprise-package.rpm
- For Debian/Ubuntu distributions:# dpkg --install splunk-enterprise-package.deb
- Ensure Splunk v7.2.3 is installed in
/opt/splunkand start the service:
# /opt/splunk/bin/splunk start
You will be prompted for a name and password for the administrator user.
After this step the Splunk Web service will be listening to port 8000. You can browse
http://<your-instance-ip>:8000in order to access the Web GUI.
- Optional. If you additionally want the Splunk service to start at boot time, please execute the following command:
# /opt/splunk/bin/splunk enable boot-start
Now that you’ve finished installing Splunk on a single-instance mode, you can proceed with the next step and install the Wazuh app for Splunk.