As you may have noticed, I’m not a huge fan of proprietary, closed source software. And of course I ended up having to install Splunk for a client. So here’s a few notes on what I did to get it working.
I started following this guide with a few integrations here and there.
Install the Splunk Server
First thing, you need to download the server. You have to register for it (proprietary software).
I got the 64bit RPM for my CentOS 7 server and installed it with
yum install splunk-*-linux-2.6-x86_64.rpm /opt/splunk/bin/splunk --answer-yes --no-prompt --accept-license enable boot-start /opt/splunk/bin/splunk --answer-yes --no-prompt --accept-license start
This will automatically accept the license and setup the Splunk Server to start at boot time.
If everything worked correctly, you should be able to connect to your Splunk Server on:
If it doesn’t work, check if you have a firewall on your server machine and open port tcp/8000 if needed.
For more information on this step, I’ll referr you to the Fine Manual:
Configure the Splunk Server
The logical next step is to configure the Splunk Server to listen for incoming logs.
Assuming you didn’t change (yet) your Splunk Server user and password, you’ll need to run:
/opt/splunk/bin/splunk enable listen 9997 -auth admin:changeme /opt/splunk/bin/splunk enable deploy-server -auth admin:changeme
For more information on this step, check:
Install the Splunk Universal Forwarder on clients
Now that the server side is configured, we need to setup a client to send some logs to it. Again, head off to the download page and grab the package you need.
For large scale deployment you might want to read about how to use user-seed.conf, so you can pre-seed your installation user and password. For this quick tutorial, we’ll skip that and run directly these commands:
yum -y install splunkforwarder-*-linux-2.6-x86_64.rpm /opt/splunkforwarder/bin/splunk --answer-yes --no-prompt --accept-license enable boot-start /opt/splunkforwarder/bin/splunk --answer-yes --no-prompt --accept-license start
Again, this will automatically accept the license and enable the forwarder at boot time.
For more information about this step:
Configure the Universal Forwarder
Once the forwarder is installed, you’ll need to configure it to talk to your server.
Please note that the user and password I’m using are those of the local splunk, not the Splunk Server.
/opt/splunkforwarder/bin/splunk add forward-server splunk-server:9997 -auth admin:changeme /opt/splunkforwarder/bin/splunk set deploy-poll splunk-server:8089 -auth admin:changeme /opt/splunkforwarder/bin/splunk enable deploy-client -auth admin:changeme /opt/splunkforwarder/bin/splunk add monitor /var/log/nginx/error.log /opt/splunkforwarder/bin/splunk restart
In my case I added
/var/log/nginx/error.log to the files that will be monitored and sent to the server.
For more information about this step, check out:
Accessing your logs on the Splunk Server
At this point you should be able to log in your Splunk Server web interface, head to the “Search & Reporting” app, and search for your data, for example I used a simple query:
to make sure the data from my log files was ending up in Splunk.