In our previous blog, we discussed how to choose between a single or clustered environment. You can read our first blog here!
In this blog, I will guide you through the proper installation of Splunk, assuming that you have chosen Linux as your operating system.
One of the first things to consider for a secure installation, is to install Splunk under a dedicated Splunk user account instead of using the root account. This is a defense-in-depth measure: if an attacker manages to compromise the Splunk instance and gain access to the underlying operating system, it is preferable that Splunk (and the attacker) does not have administrative privileges. By doing this, even if Splunk is attacked, it will not be able to move laterally through your entire network.
Please follow the instructions below in sequence:
Step 1: Create a Splunk User and Group
First, we need to create a separate user for Splunk and add a group for that user.
groupadd splunk
useradd -d /opt/splunk -m -g splunk splunk
Step 2: Obtain the Latest Splunk Download Link
- Go to https://www.splunk.com/en_us/download/splunk-enterprise.html
- Log in with your Splunk credential.
- Select to download the Linux .tgz file, which will give you the latest version of Splunk.
If you need an older version, click on the “Older Releases” link. However, it is recommended to use the latest version for security reasons unless there is a specific need.
- Once you click download, the Splunk file will start downloading in your browser.
- On the newly opened page, you will see a link for useful tools. Select “Download via Command Line (wget)” to get the URL.
- Select and copy the full wget link.
Step 3: Download and Extract Splunk on the Linux Machine
- Go to
/opt
drive (this is the usual location for Splunk installation, but you can choose a different location if desired). Use the command:cd /opt
- Download Splunk by running the command you copied from Step 2.
- Verify that the file has been downloaded by running:
ls –l
- Extract Splunk using the command:
tar –xvzf <splunk-file-dowwnload>
Step 4: Change the File Ownership to Splunk User
chown –R splunk:splunk /opt/splunk
Step 5: Switch to the Splunk User and Run Commands
su splunk
Step 6: Start Splunk
/opt/splunk/bin/splunk start --accept-license
Step 7: Access Splunk through the Web UI
http://<ip-or-host-of-your-linux-machine>:8000/
I hope this installation process works well for you. If you encounter any issues, please feel free to reach out to us!
In the next blog, we will discuss storage, indexes, and buckets, which can be more challenging. In my opinion, many Splunk installations suffer from common misconfigurations related to storage, buckets, and indexes, which can result in slow performance or even complete system inoperability.Have questions about Splunk installation?