Now we need to start splunk and ensure it also starts on reboot
[root@splunk ~]# /opt/splunk/bin/splunk start (here you will be prompted to accept the Splunk license agreement) ..... The Splunk web interface is at http://splunk.example.com:8000 [root@splunk ~]# /opt/splunk/bin/splunk enable boot-start Init script installed at /etc/init.d/splunk. Init script is configured to run at boot. [root@splunk ~]#
You can verify that Splunk will start on boot using chkconfig
Please note: Due to the rather unusual way that Splunk produce their package, it does not conform with the standard practice of Red Hat Enterprise Linux. This is why we cannot use the usual “chkconfig splunk on” command in the first place.
[root@splunk ~]# chkconfig --list splunk splunk 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@splunk ~]#
Lastly, open port 8000/TCP in IPTables if you have it enabled.
[root@splunk ~]# iptables -I INPUT -p tcp --dport 8000 -j ACCEPT [root@splunk ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@splunk ~]#
Configuring Splunk
Fire up a web browser and browse to your Splunk installation. I have opened http://splunk.example.com:8000
The first thing you will be prompted with is the Splunk Login page. As this is our first time here, log in with the username “admin” and the password “changeme”.
See screen shot
Next up, we need to set a new password to something a little more secure than “changeme”.
Please ensure you chose something you will remember.
Please also be aware that Splunk currently does NOT configure an SSL certificate for Splunk by default , thus your password will be transmitted in clear text.
For this reason, please don’t use the same password you have for something else. E.g if you are running Active Directory, don’t use your Domain Admin password just because its easy to remember.
I will discuss the SSL issue with Splunk directly.
See screen shot
The next step is to configure a data source. Splunk with no data is as good as useless.
Click Add Data
See screen shot
Now, as we are installing Splunk on an existing syslog server, we already have a huge amount of information in our /var/log folder.
Here we are going to select “Consume any syslog files or directories on this Splunk Server”.
See screen shot