Getting Started with Splunk: A Complete Installation Guide for Windows and Linux — Part 1
Splunk is one such tool, providing real-time insights into machine-generated data, which is crucial for operational intelligence and cybersecurity. Whether you’re a security operations center (SOC) analyst looking to improve threat detection or an IT professional managing system logs, Splunk’s versatility makes it a go-to solution.
In this blog, we will walk you through the installation process of Splunk on both Windows and Linux systems, starting from downloading the setup files, so you can quickly get started with monitoring and analyzing your data. Let’s dive in and set up Splunk for your organization’s needs.
WINDOWS:
Visit the Splunk website and download the Windows setup.
Link: https://url-shortener.xyz/1T5
After downloading the file start the installation process as shown below
Set the username and password for the administrator account which you will need later during the login process.
The installation process will be going on as shown in image below;
Click the launch button the launch Splunk which will open in the local host in the browser.
Now that we have installed Splunk we need the data to perform our operations so we will be adding the forwarders which will send the logs to the Splunk dashboard.
To add it click the Forwarding and receiving button from the Settings tab as shown.
As we want to receive the data we need to configure the port so that we can collect it, so click the configure receiving to add the port.
The default port to receive data in Splunk is 9997; hence, we will also select this port only.
After adding the port check the status to see whether it is enabled or not to receive data.
Now that we have configured the port to receive the data we need the forwarders to send data to that port.
We will use Splunk universal forwarder to forward the logs, download the setup for the universal forwarder, and install it as shown. Select the op-premises option as we will not be using the cloud as it is out of the scope for our process now.
Set the username and passwords of the universal forwarder
As we are forwarding our data to the localhost which is 127.0.0.1 and not and remote server we will use the hostname accordingly, also select port 8089 for sending the logs outbound.
NOTE:
Add the outbound rule in the firewall rules so that it will not get blocked while sending data.
Here in our case, the receiving end is also the localhost hence select the localhost option and the receiving port which we have configured earlier.
We can also set the server IP where we are going the process the data.
After successfully installing the Splunk universal forwarder got to the Splunk dashboard settings tab and forwarder management.
Under the clients tab we can now see our system has been added.
Ingesting Web server logs into Splunk:
To add the web server logs go to the Add data option under the settings tab.
Select the Forward option shown below.
Name the server class select the server class and move it from the new to the existing section.
Select the logs types and then select the event logs available and move it from the left section to the right section.
Create a new index and name it win_logs so that we can directly index this during our Splunk search.
Review all the setting, if required configure as per your needs and submit.
We you want to upload the logs from the local directory or file you can select the following options.
You can also select the different types of server sources like IIS and more.
Similarly, review all the configurations and submit.
We have successfully installed the Splunk and Splunk Universal Forwarder, also we have configured the inbound and outbound ports and their rules to send and receive the logs.
Finally, we have sent the system logs, Application logs, and Security logs to the Splunk dashboard along with the server logs.
LINUX:
Download the Splunk setup for Linux from the official website.
Link: https://url-shortener.xyz/1T5
Use the following command to install the Splunk
sudo su >> root
tar xvzf splunk_installer.tgz
mv splunk /opt/
cd /opt/splunk/bin
./splunk start - accept-license
http://127.0.0.1:8000Change the directory to
/opt/splunk#Run the following command
./bin/splunk start
./bin/splunk stop
./bin/splunk restart
./bin/splunk status
./bin/splunk add oneshot
./bin/splunk search <data_name>
./bin/splunk helpDownload the universal forwarder as it is same for both the linux and windows platform.
Run following commands
sudo su root
tar xvzf splunkforwarder.tgz
mv splunkforwarder /opt/
cd /opt/splunkforwarder
./bin/splunk start - accept-licenseAfter successfully installing the Splunk universal forwarder go to the Splunk dashboard settings tab and forwarder management.
As we want to receive the data we need to configure the port so that we can collect it, so click the configure receiving to add the port.
The default port to receive data in Splunk is 9997; hence, we will also select this port only.
After adding the port check the status to see whether it is enabled or not to receive data.
Go to the Indexes under the settings tab as we need to add a new index or all the logs will be indexed under the main index with other logs which can be a problem as we need only the required log related to our system or source.
Add new index, also don’t use the same name if any index is present before if used earlier. Name your index and save it.
Run commands for Configuring Forwarder
./splunk add forward-server MACHINE_IP:9997Linux stores all its important logs into the /var/log file
./splunk add monitor /var/log/syslog -index Linux_hostExploring Inputs.conf
We can also open the inputs.conf file located in
/opt/splunkforwarder/etc/apps/search/local
ls
inputs.confRun the following command and change accordingly.
cat inputs.conf
[monitor:///var/log/syslog]
disabled = false
index = Linux_hostTo check whether the Splunk has been installed successfully and the index and other configurations are correct run the following tool which will generate the dummy logs which we can check if they are been sent and received in Splunk.
Tool: Utilizing Logger Utility
/opt/splunkforwarder/bin# logger "This is a logger for generating demo logs !"Summary:
Installing Splunk on either Windows or Linux is a straightforward process, and once it’s up and running, you’ll have a powerful tool at your disposal for data analysis and monitoring. By following the steps outlined in this guide, you can easily set up Splunk and start exploring its features. Whether you’re an IT administrator or a data analyst, Splunk provides the tools you need to turn data into actionable insights.
Hey! If you enjoyed this blog, hop over to my other blogs too! There’s a whole world of fascinating content waiting for you to explore. Let’s dive in and soak up knowledge together!