Splunk Setup Guide from Tevora

Splunk is a powerful tool for collecting and processing log files from a variety of systems and devices.  The true power of Splunk comes from the search and reporting capabilities available.  This guide is centered around providing a simple Splunk server that can receive logs from a Windows system.  This instance can be used to become familiar with the interface and capabilities of Splunk, prior to a full-sized implementation.

This guide is written for Splunk version 6.0.2.  It will connect a single Windows instance to a single Splunk server.  For my purposes I used Debian 7.4.0 netinst (“small installation image”) with all install features disabled, but any distribution should work (adjustments to commands provided may be required).

1. Deploy a Linux server.  We will be using the CLI only, so no graphical interface is required.

Note: Windows servers can also used, but the exact steps for this process will not be addressed within this guide.

2. Log in as root.  We will use root for all operations on this system.

Note: It’s common for Splunk to be run by root.  If you’d like to run as a different user, the following document can help: http://docs.splunk.com/Documentation/Splunk/6.0.2/installation/RunSplunkasadifferentornon-rootuser

3. Assign a static IP address to our Splunk server:

ifconfig eth0 <ip> netmask <netmask>

ip route add default via <gateway>

4. Download Splunk.  Splunk downloads can be found here: http://www.splunk.com/download.

If you are using a CLI only Linux server, the wget command will be available on the Splunk download page.  Since I’m using Debian and I’m using Splunk 6.0.2, I used the following command:

wget -O splunk-6.0.2-196940-linux-2.6-amd64.deb 'http://www.splunk.com/page/download_track?file=6.0.2/splunk/linux/splunk-6.0.2-196940-linux-2.6-amd64.deb&ac=&wget=true&name=wget&platform=Linux&architecture=x86_64&version=6.0.2&product=splunkd&typed=release'

5. Install Splunk.  For debian, I execute:

dpkg -i splunk-6.0.2-196940-linux-2.6-amd64.deb

After the install process, you can confirm proper installation has completed by running:

dpkg --status splunk

6. Start Splunk.  By default, Splunk will install to /opt/splunk.  Run the following command:

/opt/splunk/bin/splunk start --accept-license

7. Access the web interface of Splunk.  The web interface will be accessible via: http://<ip>:8000.  The initial credentials are username admin and password changeme, but you will be prompted to select a new password after logging in for the first time.

8. Configure Splunk to receive data.  Within the web interface, select Settings (from the top right corner), followed by Forwarding and receiving.

Within the “Receive data” section, click “Add new”.  Our only option on the “Configure receiving” screen is to enter a port number, and we will use 9997 and click “Save.”

9. Install Apps.  In this case, we’re only going to install one app: Splunk Add-on for Microsoft Windows.  Within the Splunk web interface, select Apps from the top left corner and click Find More Apps.

Search for “Windows add-on” and select “Install”.

Following this process, you’ll be prompted to restart Splunk and now is the best time to do this.

10. Install the Splunk Universal Forwarder.  The universal forwarder works within Splunk to handle data handling from systems that are not dedicated Splunk servers.  This provides us the most simple method to feed data into Splunk.  The universal forwarder can be downloaded here: http://www.splunk.com/download/universalforwarder.  The installation process follows a standard Windows installation.

– For Deployment Server, leave all fields blank and select “Next”.

– For the Receiving indexer, enter the IP of our Splunk server and 9997 as the port number.

– On the Certificate Information screen, leave all fields blank and select “Next”.

– The next screen is to configure the source of log data to forward.  Select “Local Data Only” and click “Next”.

– Next, we select the logs we will forward.  Application, Security, and System are the standard logs to forward.

– Following the log sources we select, we will be prompted to download the appropriate technology add-ons.  The automatic settings will allow for install to be completed without additional interaction.

11. Search the data.  Once the install is complete, data should be arriving at our Splunk server.  Within the search interface, a search for “index=*” will show all data currently received.