Topics Map > Security > Event Logging > Splunk
How can I install Splunk universal forwarder on Linux?
Linux Install: Should be done as root.
Download installation files from: https://uofi.box.com/v/splunk
Adapted from:
https://docs.splunk.com/Documentation/Forwarder/8.0.2/Forwarder/Installanixuniversalforwarder
Create the and configure the splunk user account
- adduser splunk
- usermod -aG wheel splunk
- passwd splunk <== not necessary, unless you wish to directly login as splunk rather than escalate privileges
Download and install Splunk forwarder
- cd /opt/
- wget -O splunkforwarder-8.0.2.1-f002026bad55-Linux-x86_64.tgz 'https://www.splunk.com/page/download_track?file=8.0.2.1/linux/splunkforwarder-8.0.2.1-f002026bad55-Linux-x86_64.tgz&ac=&wget=true&name=wget&platform=Linux&architecture=x86_64&version=8.0.2.1&product=universalforwarder&typed=release'
- tar xvzf splunkforwarder-8.0.2.1-f002026bad55-Linux-x86_64.tgz -C /opt/
- chown -R splunk:splunk splunkforwarder
- setfacl -m "u:splunk:r-x" /var/log
- setfacl -m "u:splunk:r--" /var/log/*
- setfacl -m d:user:splunk:r /var/log
- su - splunk
- /opt/splunkforwarder/bin/splunk start --accept-license
Output:
This appears to be your first time running this version of Splunk.Create credentials for the administrator account.Characters do not appear on the screen when you type the password.Password must contain at least:* 8 total printable ASCII characters(s).Please enter a new password: <== password is independent of the splunk account password.
After verifying installation was successful, enable boot start, again as root.
1. /opt/splunkforwarder/bin/splunk stop2. /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
Output:
Init script installed at /etc/init.d/splunk.Init script is configured to run at boot.
Install UIC Splunk deployment client app:
- Visit https://uofi.box.com/v/splunk
- Transfer UIC_ALL_deploymentclient folder to /opt/splunkforwarder/etc/apps/
- chown -R splunk:splunk /opt/splunkforwarder
- /opt/splunkforwarder/bin/splunk start
Verify service is running as splunk user:
- ps -ef | grep splunk
Configure Firewall Rules
Open firewall ports for splunk 8089/tcp to splunk-deployment.server.uic.edu (131.193.68.94) and indexer-sas.splunk.uic.edu (indexer.cc.uic.edu) (128.248.155.23).