Building a Splunk Server

Platforms

The Splunk server software runs on all Windows and Linux platforms. All development of the Splunk application was completed using CentOS 6.4 64-Bit running on Dell R720 and R820 servers.

Recommended Hardware/Environment

You can run Splunk locally on your laptop or in a VMWare environment, which is an excellent choice for testing and demos. If you are building a testing server for your group or department, you will need the following resources:

• 4 Core/CPU

• 16GB RAM

• 500GB of Disk space

Procedure

1. Download the Installer from Splunk.com.
   

Note: If you are going to run this application on Linux, use the .tgz tar file. It is the simplest to install anywhere.

Indexes

Consider where you want your indexes to reside before you install Splunk. These indexes are the data Splunk saves from the firewall and any other devices that log data to the Splunk server. A free license is limited to 500MB of indexed data within a 24-hour period (day). You will exceed this limit if there is a large amount of traffic on your firewall, but Splunk will continue indexing the data anyway. Also, the Search interface is not accessible. It is recommended that you store the indexes on an independent partition. When the index is stored on your root partition, it can completely fill the partition and cause your system to crash. If an independent partition is not available when you create the SonicWALL index, put a maximum limit on the index that is smaller than your free space.

Linux

You can install the Splunk server software anywhere on the disk, as it is notably self-contained. A typical location might be:

/opt/splunk

All future examples reference that location.

[root@splunk2 ~]# cd /opt
[root@splunk2 opt]# ls rh splunk splunk-6.1.2-213098-Linux-x86_64.tgz

Unpack the Package

[root@splunk2 opt]# tar -xzf splunk-6.1.2-213098-Linux-x86_64.tgz

This creates a directory named splunk.

Next, install the init scripts and enable Splunk to start up at boot up.

/opt/splunk/bin/splunk enable boot-start

You are now ready to start the server.

service splunk start

Security Services in Linux

In Linux, there are two preconfigured security services that could prevent Splunk from operating as expected.

IPTables

The default IPTables configuration does not allow you to connect to port 8000 to view the web interface. It also blocks inbound port 2055 for IPFix from the firewall. You can either flush the tables or manually add rules to allow that traffic.

SELinux

By default, SELinux comes enabled on all Red Hat-based Linux distributions, including CentOS, Red Hat, and Rawhide. SELinux can be configured to allow Splunk to operate normally, but configuration is left up to the user.

Splunk as a Non-Root User

For testing, Splunk can be run as the root user, but in production this is not recommended. Follow the Splunk-provided documentation and create a dedicated user name under which to run the server, and make sure all files are owned by that user.

Windows

Double-click the installer and follow the steps.