First thing’s first: What is Splunk and why do I want or need it? The short is answer is Splunk is a data analytics tool that indexes system logs across different machines and appliances so that they’re searchable. Data analysis, event monitoring, compliance, and overall management oversight can be gleaned from this tool.
Splunk takes data that is spread out far and wide in your organization’s IT infrastructure and puts it all in one place. It allows you to search through the data, create alerts to notify personnel when certain conditions are made, and generate reports that are not only easy on the eyes but specific to what you want to display conveniently from a web interface. Easy right?
Before going any further, ensure your system meets the minimum hardware/software requirements prior to installation. To view those requirements, please check the Splunk documentation.
Also, make sure that you have a system that already has its basic configuration and hardening completed. For example, static ip address, updates/patches, time, sudo privileges etc.
Lastly, make sure the package you download is appropriate for the system you are using. Do not attempt to install the 64 Bit version of Splunk on a 32 Bit version of Ubuntu Server.
Installing Splunk on an Ubuntu Server(14.04 +)
For this demonstration, we will install Splunk using an installer package downloaded from the internet. As there is not a desktop environment present in our Ubuntu server instance, we will utilize the CLI to accomplish this goal.
To prepare for downloading the installer, switch to your home directory:
cd /home/[user] or cd ~
Downloading our package to this location does not require the use of elevated privileges and makes it easier to clean up the installation once it is completed.
In case the picture is a bit fuzzy, here is a copy/paste of the command used. Please note the single quotes or apostrophes that are present in the command. They are absolutely necessary in order for this installation to be a success. Also note that the version used for this demonstration is current at the time of this writing.
wget -O splunk-6.2.1-245427-Linux-x86_64.tgz ‘http://www.splunk.com/page/download_track?file=6.2.1/splunk/linux/splunk-6.2.1-245427-Linux-x86_64.tgz&ac=&wget=true&name=wget&platform=Linux&architecture=x86_64&version=6.2.1&product=splunk&typed=release’
As an aside, wget is a pretty handy utility used to fetch files or download entire websites from the internet. The “-O” argument outputs the content of the URL path to a single “file” where that content will be written. For more information about the wget utility, view the Wget manual at gnu.org.
Once the download is complete:
Expand the archive file and move its contents to the /opt directory
sudo tar -xvzf splunk-6.2.1-245427-Linux-x86_64.tgz -C /opt
***wait for the terminal window to stop scrolling.
Why extract the archive to the /opt directory?
The answer is a simple one: /opt is where programs that are not installed by default with the operating system are stored. We downloaded to our home directory first since that is where we have write access.
Change directories to /opt and list its contents:
You should see the directory splunk that was extracted from our archive file.
From the /opt directory, change directories to splunk/bin
Start the Splunk service and accept the terms and conditions.
sudo ./splunk start
You will then be prompted to accept the EULA
press y to accept the End User License Agreement.
This gives you the socket to access your Splunk web interface.
You can access this using the hostname or IP address of your Splunk instance and the default port of 8000. In this case it will be http://SecureIdeas:8000
Once the portal loads, you can login to it by using the default username of admin and password of changeme
And then you will be presented with the dashboard as seen below:
In future posts, I will go over how to add data to your Splunk web interface as well as configure alerts and rule sets that will allow the admin to have the most visibility in his/her environment all while allowing Splunk to do all of the heavy lifting.
Marc Holloway is a Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org, on Twitter @hackwhosnacks, or visit the Secure Ideas – ProfessionallyEvil site for services provided.