Enhancing your logging capabilities with Splunk

Now we need to start splunk and ensure it also starts on reboot

[root@splunk ~]# /opt/splunk/bin/splunk start
(here you will be prompted to accept the Splunk license agreement)
The Splunk web interface is at http://splunk.example.com:8000

[root@splunk ~]# /opt/splunk/bin/splunk enable boot-start
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
[root@splunk ~]#

You can verify that Splunk will start on boot using chkconfig
Please note: Due to the rather unusual way that Splunk produce their package, it does not conform with the standard practice of Red Hat Enterprise Linux. This is why we cannot use the usual “chkconfig splunk on” command in the first place.

[root@splunk ~]# chkconfig --list splunk
splunk             0:off    1:off    2:on    3:on    4:on    5:on    6:off
[root@splunk ~]#

Lastly, open port 8000/TCP in IPTables if you have it enabled.

[root@splunk ~]# iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
[root@splunk ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@splunk ~]#


Configuring Splunk

Fire up a web browser and browse to your Splunk installation. I have opened http://splunk.example.com:8000

The first thing you will be prompted with is the Splunk Login page. As this is our first time here, log in with the username “admin” and the password “changeme”.

See screen shot


Next up, we need to set a new password to something a little more secure than “changeme”.
Please ensure you chose something you will remember.
Please also be aware that Splunk currently does NOT configure an SSL certificate for Splunk by default , thus your password will be transmitted in clear text.

For this reason, please don’t use the same password you have for something else. E.g if you are running Active Directory, don’t use your Domain Admin password just because its easy to remember.

I will discuss the SSL issue with Splunk directly.

See screen shot


The next step is to configure a data source. Splunk with no data is as good as useless.

Click Add Data

See screen shot


Now, as we are installing Splunk on an existing syslog server, we already have a huge amount of information in our /var/log folder.
Here we are going to select “Consume any syslog files or directories on this Splunk Server”.

See screen shot

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>