Go to downloads - Since I'm doing this on Debian, I'll get the .deb file
wget the URL (or download normally) then
sudo apt-get install curl (Curl is important)
install it using sudo dpkg -i splunk_package_name.deb
mkdirSplunkcdSplunkdpkg-isplunk-9.0.4.1-419ad9369127-linux-2.6-amd64.deb(Readingdatabase...40194filesanddirectoriescurrentlyinstalled.)Preparingtounpacksplunk-9.0.4.1-419ad9369127-linux-2.6-amd64.deb...ThislookslikeanupgradeofanexistingSplunkServer.AttemptingtostoptheinstalledSplunkServer...splunkdisnotrunning.Unpackingsplunk (9.0.4.1) over (9.0.4.1) ...Settingupsplunk (9.0.4.1) ...completeroot@IDS-SIEM:~/Splunk#
Confirm the installation using root@IDS-SIEM:~/Splunk# dpkg --status splunk
Setting Up
Now that we have Splunk installed, let's set up our credentials and take a look at the basic functionalities. To run the web server, go to /opt/splunk/bin and run ./splunk start
# Read the license agreements# Set up admin credentials# Open the IP in your browserSplunksoftwaremustcreateanadministratoraccountduringstartup.Otherwise,youcannotlogin.Createcredentialsfortheadministratoraccount.Charactersdonotappearonthescreenwhenyoutypeincredentials.Pleaseenteranadministratorusername:adminPasswordmustcontainatleast:*8totalprintableASCIIcharacter(s).Pleaseenteranewpassword:Pleaseconfirmnewpassword:Waitingforwebserverathttp://127.0.0.1:8000tobeavailable................DoneIfyougetstuck,we\'reheretohelp.Lookforanswershere:http://docs.splunk.comTheSplunkwebinterfaceisathttp://IDS-SIEM:8000# Added an alias to my bashrc profile so I can start it with a simple commandroot@IDS-SIEM:/opt/splunk/bin$export"alias start_splunk='/opt/splunk/bin/splunk start'">>~/.bashrc
You can now access the web server from your device - I'll make a DNS pointer to it so I don't have to memorise the IP.
You should be met with this dashboard if you've followed the steps correctly.
Make sure to assign enough disk space to the container - you may need more or less depending on your traffic/activity.
Running Splunk on Reboot
If you are doing this on Proxmox, you might have a situation where you have to restart your cluster or server. To factor for this, I'll be using Cron to start up Splunk whenever the container is launched. You can also set up the containers to run when the cluster is up which will be shown below
Container > Summary > Start on Boot > Check the box
cd/opt/splunk/binrealpathsplunk/opt/splunk/bin/splunkbashcrontab-e# Add this to the last line@reboot/splunk/bin/splunkstart>/dev/null2>&1# Reboot the container to check if it works# ALTERNATIVELY - if you aliased the command@rebootstart_splunk>/dev/null2>&1
Spelunking with Splunk
Interface
Applications Directory
Configure or use your installed applications. We will be using this in the next chapter.
Product Tours
This is where you can go through a short tutorial on how to use Splunk, upload data, and sort out tables etc. Very useful when starting out.
Splunk Apps
This is where you can view the Splunk marketplace for applications.
Dashboard
This is where you can add important monitors that you might want to see when you start up Splunk.