Over time my homelab has grown to over 40 virtual machines spread over three subnets. All the boxes are active and I want more insight into what is going on, so I’m adding a Splunk server. Over the next three blog posts, I’ll walk you through setting up and searching Splunk. This first post is going to cover registering for, downloading, and installing the Splunk software. The next post will cover installing the forwarders giving Splunk something to index. Lastly, the third post will cover adding apps and querying data.
Before we begin, lets quickly look at the parts of Splunk. The layer closest to us is the search head. This is the front end that we interact with via search and the Splunk web UI. The indexer is the heart of Splunk. The indexer receives data, compresses it, and then indexes it. The last part is the forwarder. This is a Splunk instance on an end point that generates machine data. The forwarder forwards the data to the indexer. Typically you would separate the roles, but because of the small amount of data and for simplicity sake, I’m putting search head and indexer on one box.
First go to splunk.com and register an account. Its free, but be aware they may ask to validate your email, in case you like to use throw away ones. Once logged in, click the big green free Splunk button. I chose the Splunk enterprise server free download.
I’m using Ubuntu 16.04 for my Splunk server, so I will chose Linux. At this point, you can download the .deb file, but as the second screen shot shows, you can also use wget to download the bits right to your box. That is what I will be doing. You’ll also notice that I pointed out the data limitation. This is not an issue for me since I’m just curious about my traffic and don’t actually need more than that. But if you want more and are willing to follow up, Google “Splunk Developer License.”
After running wget from the screen shot above run the following:
#Install splunk enterprise server dpkg -i splunk-6.6.2-4b804538c686-linux-2.6-amd64.deb #If you receive any errors looking for dependencies run this sudo apt-get install -f #Now start the splunk server sudo /opt/splunk/bin/splunk --accept-license #Finally set splunk to start on boot sudo /opt/splunk/bin/splunk enable boot-start
Now navigate to http://splunkserver:8000. Success!!!
In the next post, I will be installing a universal forwarder which will provide some data that I will later query in part three of this series.