Installing Splunk Standalone and Agents on Ubuntu

December 26, 2017 | Views: 3376

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Installing Splunk standalone and agents on Ubuntu

It’s my little guide to how to use Splunk, maybe I write more about Apps, configuration Splunk and another theme if you want it)))

Before installing Splunk Enterprise, you need to download it, the easiest way is to do it “directly” on the server itself:

wget -O splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb ''

Agents are downloaded by the command:

wget -O splunkforwarder-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb ''

After you download, start the installation:

dpkg -i splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb

For agents:

dpkg -i splunkforwarder-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb

Be sure to enable boot-start (for the server and agents the command is identical)

$SPLUNK_HOME/bin/splunk enable boot-start --answer-yes --no-prompt --accept-license

To name the server, Splunk uses the entry in / etc / hostname, if you need to use FQDN, then enter the command (for the server and agents the command is identical):

$SPLUNK_HOME/bin/splunk set servername $(hostname -f)

This command writes to the file $ SPLUNK_HOME / etc / system / local / server.confAgents need to specify the server to send and the management server to install, do this with commands:

For forwarding, the default port is 9997
$SPLUNK_HOME/bin/splunk add forward-server your_server:port

For management, the default port is 8089

$SPLUNK_HOME/bin/splunk set deploy-poll your_server:port

Also on agents, I recommend changing the entry in the file $ SPLUNK_HOME / etc / system / local / inputs.conf, if you have a shortened host record in the / etc / hostname file

host = full_host_name
This is done so that in the future there is no confusion in the logs.

Now we run the Splunk command (if you wrote keys when you turned on boot-start, now you can do it without them):

$SPLUNK_HOME/bin/splunk start --answer-yes --no-prompt --accept-license

Splunk should be available on port 8000

At the entrance you will be offered to change the admin’s password (by default: admin: changeme)

I recommend to go immediately in Settings -> Server settings -> General Settings and set yes to the question Enable SSL (HTTPS) in Splunk Web?

And in Settings -> Monitoring Console -> Settings -> General Setup, click Edit in actions and select Edit Server Roles, where you set the markers (in addition to the default ones) of Deployment Server and KV Store

After this, you must restart the Splunk server.



Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
1 Comment
  1. Thank you for sharing. Easy to understand.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



We recommend always using caution when following any link

Are you sure you want to continue?