Latest Posts

Install Latest Splunk 7.2.0 into Ubuntu and CentOS

Installing Splunk 7.2.0 into Ubuntu is super easy. I had a video to introduce how to install Splunk in a windows server in my previous post. This time, I am going to present an installation process for Splunk 7.2.0 installed into Ubuntu 18.04.  Ubuntu is running on Google Cloud Platform.

Notes: For CentOS steps and video, you can find it at the end of this post.

1. Create a new Ubuntu 18.04 LTS VM from GCP ->Computer Engine -> VM Instance






2. SSH Log into Ubuntu VM from GCP ->Computer Engine -> VM Instance



3. Download Splunk from Ubuntu VM

Scrip for download link:

product="splunk"       # values can be : splunk , universalforwarder
 version="7.0.2"        # Splunk product Version
 hash="8c86330ac18"    # specific per Version
 arch="amd64"           # values can be : x86_64 (redhat, tgz), amd64 (ubuntu), x64 (Windows)
 os="linux"             # values can be : linux, windows
 pkg="deb"              # Values can be : tgz, rpm, deb, msi
 
 if [ $pkg = "tgz" ]; then
    filename="${product}-${version}-${hash}-Linux-${arch}.${pkg}"
 elif [ $os = "windows" ]; then
    filename="${product}-${version}-${hash}-${arch}-release.${pkg}"
 else 
    filename="${product}-${version}-${hash}-${os}-2.6-${arch}.${pkg}"
 fi
 
 md5File="${filename}.md5"
 echo $filename         # Verify this is correct
 
 wget "https://download.splunk.com/products/splunk/releases/${version}/${os}/${md5File}"
 wget "https://download.splunk.com/products/splunk/releases/${version}/${os}/${filename}"
 
 
 # OR
 curl -o "$md5File" "https://download.splunk.com/products/splunk/releases/${version}/${os}/${md5File}"
 curl -o "$md5File" "https://download.splunk.com/products/splunk/releases/${version}/${os}/${filename}"





Download Splunk Package using wget :

johnyan_ca@ubuntu:~$ echo $filename
splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb
johnyan_ca@ubuntu:~$ wget "https://download.splunk.com/products/splunk/releases/${version}/${os}/${filename}"
--2018-10-19 23:14:33--  https://download.splunk.com/products/splunk/releases/7.2.0/linux/splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb
Resolving download.splunk.com (download.splunk.com)... 13.35.115.61, 13.35.115.82, 13.35.115.18, ...
Connecting to download.splunk.com (download.splunk.com)|13.35.115.61|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 261290760 (249M) [application/octet-stream]
Saving to: ‘splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb’

splunk-7.2.0-8c86330ac18-lin 100%[=============================================>] 249.19M  6.09MB/s    in 41s     

2018-10-19 23:15:15 (6.04 MB/s) - ‘splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb’ saved [261290760/261290760]


johnyan_ca@ubuntu:~$ wget https://download.splunk.com/products/splunk/releases/7.2.0/linux/splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb

4. Install Splunk Package 

johnyan_ca@ubuntu:~$ dpkg -i splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb 
dpkg: error: requested operation requires superuser privilege
johnyan_ca@ubuntu:~$ sudo su
root@ubuntu:/home/johnyan_ca# 
root@ubuntu:/home/johnyan_ca# 
root@ubuntu:/home/johnyan_ca# dpkg -i splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb 
Selecting previously unselected package splunk.
(Reading database ... 60641 files and directories currently installed.)
Preparing to unpack splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb ...
Unpacking splunk (7.2.0) ...
Setting up splunk (7.2.0) ...
complete


root@ubuntu:/home/johnyan_ca# cd /opt/splunk/bin/
root@ubuntu:/opt/splunk/bin# ./splunk enable boot-start
SPLUNK SOFTWARE LICENSE AGREEMENT

HIS SPLUNK SOFTWARE LICENSE AGREEMENT ("AGREEMENT") GOVERNS THE LICENSING,
INSTALLATION AND USE OF SPLUNK SOFTWARE. BY DOWNLOADING AND/OR INSTALLING
.
.
.
.[Omitted]
.
.
4.  FORCE MAJEURE. Splunk will not be responsible for any failure or delay in
its performance under these Terms and Conditions due to causes beyond its
reasonable control, including, but not limited to, labor disputes, strikes,
lockouts, shortages of or inability to obtain labor, energy, raw materials or
supplies, war, acts of terror, riot, acts of God or governmental action.

Splunk Software License Agreement 10.01.2018
Do you agree with this license? [y/n]: y

This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: johnyan
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password: 
Please confirm new password: 
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
...................................................+++
................................................................................................................+++
e is 65537 (0x10001)
writing RSA key

Generating RSA private key, 2048 bit long modulus
....................+++
.........+++
e is 65537 (0x10001)
writing RSA key

Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
root@ubuntu:/opt/splunk/bin# 
root@ubuntu:/opt/splunk/bin# 
root@ubuntu:/opt/splunk/bin# service splunk start
root@ubuntu:/opt/splunk/bin# 



5. Firewall Rule Change
Open tcp 8000 port in Google Cloud Platform VPC network -> Firewall rules



6. Add local log folder as data input
Here is an example to add a new local folder /var/log as a data input.




Youtube Video:
Notes: Install Splunk to CentOS 7
Steps:
[root@linuxhelp1 ~]# groupadd splunk
[root@linuxhelp1 ~]# useradd -d /opt/splunk -m -g splunk splunk
[root@linuxhelp1 ~]# tar -xzvf splunk-6.6.3-e21ee54bc796-Linux-x86_64.tgz
[root@linuxhelp1 ~]# cp -rp splunk/* /opt/splunk/
[root@linuxhelp1 ~]# chown -R splunk: /opt/splunk/
[root@linuxhelp1 ~]# su - splunk
[splunk@linuxhelp1 ~]$ cd bin
[splunk@linuxhelp1 bin]$ ./splunk start --accept-license

References:








No comments