howto://Install Splunk

by Ed Fisher on 2010-01-04

in Infrastructure

splunk

I know, I know, there have been three Splunk posts already, and I am only just now getting around to posting how to install it. Explanation required. First, I installed it before it dawned on me to blog about it. Second, I figured that installing Splunk was easy enough that a post was unnecessary. But since I just had to reinstall, and know a little more about a couple of decision points than I did before, so it seemed like a good enough time to me to create this post.

The first thing we should do is figure out what we want to install, and upon what we wish to install it. We can install the on Windows or on Linux, and there are 32bit and 64bit versions. You can install the free Enterprise trial, so you can see for sixty days everything that Splunk can do, and then ‘downgrade’ to the free version or buy an Enterprise license. Click on the chart below to see the live version on Splunk’s site.

image

One of the things I really want to be able to do is monitor remote Windows systems using WMI, so Windows is the only option for an operating system (no WMI support for Linux…yet. In this example we’re going to use an existing 32 bit Windows 2003 (virtual) box that is already set up, otherwise I would always go with 2008 R2.

  1. Set up your server as you normally would, including all patches and updates, antivirus, and any additional software you normally install.
  2. Make sure IIS is installed. You only need to enable basic IIS functionality.
  3. Create a domain account called splunkservice. Make it a member of the local administrators group on your server.image
  4. If Windows firewall is enabled, configure exceptions for TCP 80, 8000, and UDP 514*.
  5. Add a DNS CNAME for splunk and have it resolve to the FQDN of your Splunk server.
  6. Now, download the Splunk installer from www.splunk.com, selecting the right version for you.
  7. Run the installer, taking the defaults until you get to the point where you choose to “Install Splunk as:”image
  8. Click “Other user” and then Next.
  9. In the next dialog window, configure the appropriate information for the splunkservice account you created in step 3.image
  10. A couple of more defaults and Splunk is installed. The last step offers to create Start Menu shortcuts, and launch the browser. Leave both, and click Finish. Splunk will launch in your default browser.
  11. The default credentials for logging on to Splunk are “admin/changeme.” Use them, and log in. That will bring you to the Splunk Launcher page.
  12. Click on Manager in the upper right hand corner.
  13. Click on System settings.image
  14. Set Splunk to use SSL. Don’t change any other settings, including the port.
  15. Click Save, then click Back to Launcher.
  16. Up at the top you should now see a prompt to restart Splunk for changes to take effect. Click it.
  17. Restart Splunk by clicking the big green button. image
  18. This will take a little time. Go get coffee. Mmmm…coffee.
    image

    19. It is by caffeine alone I set my mind in motion.
    It is by the extract of Coffea canephora that the thoughts acquire speed, the hands acquire shaking, the shaking is a warning.
    It is by caffeine alone I set my mind in motion.

  19. I bet that when you get back, you will still see this on screen.image
  20. It’s cool, just close your browser.
  21. Click the Splunk shortcut from your Start Menu, and notice that your browser is now prompting you with a certificate warning. That is because we are now using SSL, and a self-signed certificate created by Splunk. Yay.
  22. Click what you need to for your browser version to get past that, so you see the login page. Copy the URL in the address bar and then login to confirm everything is working. Okay, that was nice, now close your browser.
  23. Remember I had you install IIS? Splunk can listen on any port using http, or https, but not both, so we are going to use IIS to simplify login. Launch IIS Management from the Administrative Tools console.
  24. Browse down to the Default Web Site, right-click to access properties, and go to the Home Directory Tab.
  25. Configure the Home Directory to be “A redirection to a URL” and paste the URL you copied up in step 22. It should look like this.image
  26. Hit okay, and then get out of IIS Admin.
  27. Open the browser on your workstation, and enter http://splunk. Assuming your DNS alias has propagated, and your search suffixes are setup correctly, you should be prompted to accept the certificate of your Splunk server. Once again, click through that, and login.

Yay. We now have Splunk installed, and ready to configure. Your next steps should be to

  1. See this post http://retrohack.com/getting-started-with-splunkusing-enterprise-certificates/ so that you can start using your own internal CA certificates and eliminate those pesky warnings. You will still see some warnings about insecure content, but that is okay.
  2. Then see this post http://retrohack.com/getting-started-with-splunkusing-active-directory-authentication/ so you can start using your AD accounts for logging on to Splunk.

* Ah, why UDP 514? Because that is what syslog uses, and we’ll be covering that in an upcoming post!

Is there something else about Splunk you’d like to see covered here? Was this post helpful? Leave a comment and let us know what you think!

You might also enjoy:

  1. howto://Configure Splunk to use AD groups
  2. howto://Install and Configure Snare Agent for Windows
  3. howto://Configure Splunk to accept syslog feeds
  4. Upgrading Splunk? Save your certs!

Tagged as: howto, splunk>

{ 2 comments… read them below or add one }

Install Software 2010-02-22 at 02:08

Thank you for the help.
Will this work in Windows 7?

Reply

Ed Fisher 2010-02-24 at 09:20

Yes it will, but since Windows 7 is a workstation platform, and you want Splunk monitoring 24×7, you really should install on a server platform.

Reply

Leave a Comment

CommentLuv Enabled
You can link your twitter feed here @

Previous post:

Next post: