Installing Splunk standalone and agents on Ubuntu
It's my little guide to how to use Splunk
, maybe I write more about Apps, configuration Splunk and another theme if you want it)))Before installing Splunk Enterprise, you need to download it, the easiest way is to do it "directly" on the server itself:
wget -O splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.1&product=splunk&filename=splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb&wget=true'
Agents are downloaded by the command:
wget -O splunkforwarder-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.1&product=universalforwarder&filename=splunkforwarder-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb&wget=true'
After you download, start the installation:
dpkg -i splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb
dpkg -i splunkforwarder-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb
Be sure to enable boot-start (for the server and agents the command is identical)
$SPLUNK_HOME/bin/splunk enable boot-start --answer-yes --no-prompt --accept-license
To name the server, Splunk uses the entry in / etc / hostname, if you need to use FQDN, then enter the command (for the server and agents the command is identical):
$SPLUNK_HOME/bin/splunk set servername $(hostname -f)
This command writes to the file $ SPLUNK_HOME / etc / system / local / server.confAgents need to specify the server to send and the management server to install, do this with commands:
For forwarding, the default port is 9997
$SPLUNK_HOME/bin/splunk add forward-server your_server:port
For management, the default port is 8089
$SPLUNK_HOME/bin/splunk set deploy-poll your_server:port
Also on agents, I recommend changing the entry in the file $ SPLUNK_HOME / etc / system / local / inputs.conf, if you have a shortened host record in the / etc / hostname file
[default]host = full_host_name
This is done so that in the future there is no confusion in the logs.
Now we run the Splunk command (if you wrote keys when you turned on boot-start, now you can do it without them):
$SPLUNK_HOME/bin/splunk start --answer-yes --no-prompt --accept-license
Splunk should be available on port 8000At the entrance you will be offered to change the admin's password (by default: admin: changeme)I recommend to go immediately in Settings -> Server settings -> General Settings and set yes to the question Enable SSL (HTTPS) in Splunk Web?And in Settings -> Monitoring Console -> Settings -> General Setup, click Edit in actions and select Edit Server Roles, where you set the markers (in addition to the default ones) of Deployment Server and KV StoreAfter this, you must restart the Splunk server.Enjoy))))