Splunk installation

This document will guide you through the simple distributed architecture installation process according to the previous page schema.

Note

Many of the commands described below need to be executed with root user privileges.

Splunk Indexer installation

This component works receiving the data flow streamed by a Forwarder and stores it in a Splunk index.

  1. Download Splunk v7.2.1 package from its official website.

Note

Splunk is not open source software and it requires a registered user and license to work. You can also use a free trial license.

  1. Install the Splunk v7.2.1 package:
  1. For RPM based distributions:
# yum install splunk-enterprise-package.rpm
  1. For Debian/Ubuntu distributions:
# dpkg --install splunk-enterprise-package.deb
  1. Ensure Splunk v7.2.1 is installed in /opt/splunk and start the service:
# /opt/splunk/bin/splunk start

Note

You will be prompted for a password for the ‘admin’ user.

After this step the Splunk Web service will be listening to port 8000. You can browse http://<your-instance-ip>:8000 in order to access the Web GUI.

  1. Optional. If you additionally want the Splunk service to start at boot time, please execute the following command:
# /opt/splunk/bin/splunk enable boot-start

Splunk Forwarder installation

A Forwarder is required in order to send alerts to the Indexer. This component will be installed in the manager instance.

  1. Download Splunk Forwarder v7.2.1 package from the official website.
  2. Install it with the following command depending on your operating system:
  1. For RPM based distributions:
# yum install splunkforwarder-package.rpm
  1. For Debian/Ubuntu distributions:
# dpkg --install splunkforwarder-package.deb
  1. Ensure Splunk Forwarder v7.2.1 is installed in /opt/splunkforwarder.

Useful Splunk CLI commands can be found in the Splunk official documentation .

Now that you’ve finished installing Splunk, you can proceed with the Splunk app for Wazuh installation.