How to Install Splunk Log Analyzer on Ubuntu 18.04 LTS
Splunk is a powerful log database that can be used for searching, monitoring, and analyzing machine-generated big data through a web-interface. It is a very useful tool for analyzing, exploring and searching data. You can easily index, search, collect and visualize massive data streams in real-time from an application, web server, database, server platform, Cloud-network and many more using Splunk.
Splunk made up from three main components:
- Splunk Forwarder : It is used for collecting the logs.
- Splunk Indexer : It is used for Parsing and Indexing the data.
- Splunk Search Head : Provides web interface for for searching, analyzing and reporting.
In this tutorial, we will be going to learn how to install Splunk on Ubuntu 18.04 LTS (Bionic Beaver) server.
Requirements
- A server running Ubuntu 18.04 to your system.
- A non-root user with sudo privileges.
Install Splunk
Splunk supports a wide range of operating system including, Windows, Linux, FreeBSD, OSX, Solaris, AIX and many more. You can download the latest version of the Splunk from their official website or use the following command:
wget https://download.splunk.com/products/splunk/releases/7.1.1/linux/splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb
Once the download is completed, install the downloaded file using the following command:
sudo dpkg -i splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb
Once the installation completed successfully, you should see the following output:
(Reading database ... 218552 files and directories currently installed.) Preparing to unpack splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb ... Unpacking splunk (7.1.1) over (7.1.1) ... Setting up splunk (7.1.1) ... complete
Next, you will need to enable Splunk service to start on boot time. You can do this by running the following command:
sudo /opt/splunk/bin/splunk enable boot-start
Here, you will need to agree to the License Agreement and provide admin password as below:
Splunk Software License Agreement 04.24.2018 Do you agree with this license? [y/n]: y This appears to be your first time running this version of Splunk. An Admin password must be set before installation proceeds. Password must contain at least: * 8 total printable ASCII character(s). Please enter a new password: Please confirm new password: Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'. Generating RSA private key, 2048 bit long modulus ..................+++ ..............................................................................+++ e is 65537 (0x10001) writing RSA key Generating RSA private key, 2048 bit long modulus .............+++ ...................................+++ e is 65537 (0x10001) writing RSA key Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'. Adding system startup for /etc/init.d/splunk ... /etc/rc0.d/K20splunk -> ../init.d/splunk /etc/rc1.d/K20splunk -> ../init.d/splunk /etc/rc6.d/K20splunk -> ../init.d/splunk /etc/rc2.d/S20splunk -> ../init.d/splunk /etc/rc3.d/S20splunk -> ../init.d/splunk /etc/rc4.d/S20splunk -> ../init.d/splunk /etc/rc5.d/S20splunk -> ../init.d/splunk Init script installed at /etc/init.d/splunk. Init script is configured to run at boot.
Next, start Splunk service using the following command:
sudo service splunk start
You should see the following output:
Starting splunk server daemon (splunkd)... Generating a 2048 bit RSA private key ............+++ ............................................................................................................................................+++ writing new private key to 'privKeySecure.pem' ----- Signature ok subject=/CN=Node3/O=SplunkUser Getting CA Private Key unable to write 'random state' writing RSA key Done Waiting for web server at http://127.0.0.1:8000 to be available........ Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at http://Node3:8000
Access Splunk Web Interface
Splunk server is now running and listening on port 8000. Open your web browser and type the URL http://your-server-ip:8000, you will be redirected to the following page:
Here, provide your admin login credentials, then click on the Sign In button, you should see the Splunk dashboard in the following screen: