Go to downloads - Since I'm doing this on Debian, I'll get the .deb file
wget the URL (or download normally) then
sudo apt-get install curl (Curl is important)
install it using sudo dpkg -i splunk_package_name.deb
mkdir Splunk
cd Splunk
dpkg -i splunk-9.0.4.1-419ad9369127-linux-2.6-amd64.deb
(Reading database ... 40194 files and directories currently installed.)
Preparing to unpack splunk-9.0.4.1-419ad9369127-linux-2.6-amd64.deb ...
This looks like an upgrade of an existing Splunk Server. Attempting to stop the installed Splunk Server...
splunkd is not running.
Unpacking splunk (9.0.4.1) over (9.0.4.1) ...
Setting up splunk (9.0.4.1) ...
complete
root@IDS-SIEM:~/Splunk#
Confirm the installation using root@IDS-SIEM:~/Splunk# dpkg --status splunk
Setting Up
Now that we have Splunk installed, let's set up our credentials and take a look at the basic functionalities. To run the web server, go to /opt/splunk/bin and run ./splunk start
# Read the license agreements
# Set up admin credentials
# Open the IP in your browser
Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.
Please enter an administrator username: admin
Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:
Waiting for web server at http://127.0.0.1:8000 to be available................ Done
If you get stuck, we\'re here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://IDS-SIEM:8000
# Added an alias to my bashrc profile so I can start it with a simple command
root@IDS-SIEM:/opt/splunk/bin$ export "alias start_splunk='/opt/splunk/bin/splunk start'" >> ~/.bashrc
You can now access the web server from your device - I'll make a DNS pointer to it so I don't have to memorise the IP.
You should be met with this dashboard if you've followed the steps correctly.
Make sure to assign enough disk space to the container - you may need more or less depending on your traffic/activity.
Running Splunk on Reboot
If you are doing this on Proxmox, you might have a situation where you have to restart your cluster or server. To factor for this, I'll be using Cron to start up Splunk whenever the container is launched. You can also set up the containers to run when the cluster is up which will be shown below
Container > Summary > Start on Boot > Check the box
cd /opt/splunk/bin
realpath splunk
/opt/splunk/bin/splunkbash
crontab -e
# Add this to the last line
@reboot /splunk/bin/splunk start >/dev/null 2>&1
# Reboot the container to check if it works
# ALTERNATIVELY - if you aliased the command
@reboot start_splunk >/dev/null 2>&1
Spelunking with Splunk
Interface
Applications Directory
Configure or use your installed applications. We will be using this in the next chapter.
Product Tours
This is where you can go through a short tutorial on how to use Splunk, upload data, and sort out tables etc. Very useful when starting out.
Splunk Apps
This is where you can view the Splunk marketplace for applications.
Dashboard
This is where you can add important monitors that you might want to see when you start up Splunk.
