In the first two parts of this series we discussed installing the SuSe Linux operating system. The first in the series took you through the first half of the installation while the second finished the install off. The install served to get you a base installation of SuSe Linux. If you have a default build for SuSe that you prefer then by all means use it just make sure to open the appropriate firewall ports for Splunk and administering the system (22 and 443 to start with more to be added as we go into parts 4 and 5 of this series). With that said let's setup a basic Splunk instance on the server.
Now
that the Linux operating system is installed it is time to install the latest
instance of Splunk. Since we have chosen
SuSe for our operating system we are going to use the splunk rpm distribution
from the site. Splunk can be obtained
for free by signing up at www.splunk.com.
Using a non-licensed version of Splunk will limit some of the key
features, specifically authentication will not work, which is the biggest part
and the amount of data that can be fed into Splunk will also be limited. For the purpose of this post we are going to
assume that you have a license for Splunk.
Some of the configurations that are going to be setup will be specific
to a licensed copy of Splunk. If you are
just using a free copy then just ignore the aspects of the configuration that
will not apply to you.
One
of the nice things about Splunk is their support for wget. Once you click to download they will provide
you the wget command and url setup for you to copy and paste. Here is a screen shot of me performing the wget
from my test server:
Once
the solution is downloaded move it to the /opt directory of your new Splunk
server. Start the installation by
running:
rpm –i
<splunk-package-name.rpm>
At
this point Splunk suggests exporting Splunk’s path to your profile. Personally,
I do it immediately. There are too many
times when configuring and debugging that you will start, stop, or restart
Splunk in the process of the deployment and use. If you aren’t familiar with doing this here
it is:
vi ~\.bashprofile
Then
insert the following entries:
export SPLUNK_HOME=/opt/splunk
export PATH=$SPLUNK_HOME/bin:$PATH
After placing these entries in save the .bashprofile and then run the
following command to have Splunk recognize the new profile.
. .bashprofile
You
can test the profile changes by then running the command:
splunk status
The
results should be:
splunkd is not running.
splunkweb is not running.
Again
we are assuming that you are using a licensed version of Splunk. With that ssid the next step is to place the
license file into your Splunk instance.
You should have received your Splunk license via email. I typically sftp the license to the Splunk
server and then move it once I am on the server.
To
move the license where it needs to go use the following commands:
cd /home/<username>
where
the username is the account that you used to sftp the file to the server.
mv splunk.license /opt/splunk/etc/splunk.license
Now
that we have a license file in place we want to make sure that we have Splunk
setup for an ssl login connection. We
are going to copy a config file over and then edit it to meet our needs. Just use the following commands and examples
to accomplish an ssl deployment of Splunk.
cd /opt/splunk/etc/system
cp default/web.conf local/web.conf
chown splunk:splunk local/web.conf
chmod +w local/web.conf
vi local/web.conf
Now
that we are editing the web.conf file we are going to make several changes:
1.
Change the
default port that the server is listening on
2.
Enable ssl
The
settings that we will change are:
httpport = 8000
to
httpport = 443
and
enableSplunkWebSSL = false
to
enableSplunkWebSSL = true
Below
you can see what this looks like.
At this point we are going to start Splunk and
login with the default account so that we can test our server. The first step is to start the splunk
processes which include:
1.
splunkd
2.
splunkweb
3.
splunkhelpers
Run
the command:
splunk start
When
Splunk starts for the first time you are presented with the license and
agreement, which must be accepted in order to continue using the solution. Once it is complete you can run the command
“splunk status” to see the three processes running each with their own PID.
The
first thing that will happen is that you will get a certificate error from the
browser. This is caused by Splunk using its
own self signed certificate. This can be
changed but is a more advanced topic that is outside the scope of a simple
installation. Finally you will be
presented with the Splunk login page.
The default account information is:
User:
admin
Password:
changeme
The
very first thing should be to change the password to one that meets the
requirements of your organization. To
do this in the top right hand corner of the page select Admin-> Users.
The
only use that is present is admin. On
the right side next to admin select edit.
Just
change the password and select save afterwards.
Then logout and log back in with the new password.
Finally
go back into the command line and enter:
splunk stop
splunk enable boot-start
splunk start
Running
these commands will set Splunk up to always start when the server is rebooted
and will ensure that you maintain maximum uptime.
With
that said you have a Splunk server installed.
It is still not ready for any data as we will need to perform more
configurations prior to having it ready to consume data. In the next part of this blog I will discuss
some of the considerations that must go into the deployment strategy and how to
accomplish things like distributed search amongst multiple Splunk servers and
how to deal with remote office and time zones.