Older, but still relevant instructions
The below example leverages an Amazon Linux 2 AMI instance. Adjustments may need to be made depending on Linux versions and security posture (such as SE Linux)
- It is recommended that you run Splunk as a non-root user. This user will require access to the files that will be monitored possibly requiring permission adjustments.
- It is imperative that once you setup Splunk you do not manipulate any Splunk configuration files (located in /opt/splunkforwarder) under any other user than the user that runs the Splunk agent.
- In the following examples we assume that you are running the commands as the account that will be running the agent and you have been given the appropriate permissions to run the binaries.
- Please consult your OS specific documentation and your System Administration team for how to create users and adjust permissions so that you can run the agent not as a root user.
- Download the agent from the current supported version located here – http://go.illinois.edu/splunk-uf-linux-current – into a temporary location.
wget -O /tmp/universalforwarder-linux.tgz https://go.illinois.edu/splunk-uf-linux-currentIf you are testing different major release versions of Splunk or require different Linux flavors, visit the Splunk Versions and Locations page for the links.
- Extract the installation and discard of the downloaded file.
tar -xvf /tmp/universalforwarder-linux.tgz -C /opt rm /tmp/universalforwarder-linux.tgzNOTE – Splunk by default likes to be installed into /opt/splunkforwarder. You can adjust this location based on your system’s configuration.
- If you had to do a sudo in the previous steps it might make sense to chown the folder to the user that will be running the Splunk agent
sudo chown -R ec2-user: /opt/splunkforwarder - Run the forwarder for the first time replacing the password with a unique password for the Splunk agent
- This password is unique for your endpoint installation. You should retain this password for future troubleshooting purposes and some upgrade processes.
/opt/splunkforwarder/bin/splunk start –accept-license –no-prompt –answer-yes –seed-passwd a_new_password_that_is_different_from_the_defaults
- An error at this point indicating “ERROR: Couldn’t read “/opt/splunkforwarder/etc/splunk-launch.conf” — maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?” may indicate that you do not have permissions to run the agent binary files as the current user and will need to consult with your System Administration team or OS documentation on how to proceed.
- Download the default app and configure for the deployment-server then restart the Splunk agent. MAKE SURE YOU RESTART IMMEDIATELY as the permissions are initially very permissive.
wget -O /tmp/default-deployment-server.spl https://go.illinois.edu/default-deployment-server /opt/splunkforwarder/bin/splunk install app /tmp/default-deployment-server.spl -auth admin:a_new_password_that_is_different_from_the_defaults /opt/splunkforwarder/bin/splunk restart rm /tmp/default-deployment-server.spl- If you are unsure what your password or you are planning to script this for automated deployment, you can also extract the SPL application using tar and put the folder directly into the apps directory located in $SPLUNK_HOMEetcapps
/opt/splunkforwarder/bin/splunk stop
wget -O /tmp/default-deployment-server.spl https://go.illinois.edu/default-deployment-server
tar xvf /tmp/default-deployment-server.spl -C /opt/splunkforwarder/etc/apps
/opt/splunkforwarder/bin/splunk start
rm /tmp/default-deployment-server.spl
- If you are unsure what your password or you are planning to script this for automated deployment, you can also extract the SPL application using tar and put the folder directly into the apps directory located in $SPLUNK_HOMEetcapps
- Splunk Auto-Start
- There are numerous ways to enable Splunk to start at boot depending on the Linux OS and System Administration practices.
/opt/splunkforwarder/bin/splunk start- These methods would largely need to run the following command in whatever context suits the build
sudo /opt/splunkforwarder/bin/splunk enable boot-start -user your_user
- These methods would largely need to run the following command in whatever context suits the build
- A Splunk method to enable start at boot is to run the following command as a user with sudo privileges
/opt/splunkforwarder/bin/splunk restart
- There are numerous ways to enable Splunk to start at boot depending on the Linux OS and System Administration practices.
- Restart Splunk
/opt/splunkforwarder/bin/splunk restart - At this point the agent is installed and has been pointed towards the Deployment server where additional configuration files will be downloaded from. The handshake process with the Deployment server make take up to 5 minutes to accomplish.
- The only data being sent to the Splunk environment is the local agent logs.
- When the handshake is accomplished you should see the following file located in this path
- /opt/splunkforwarder/etc/apps/illinois-urbana-all-deployment-CONF/local/SUCCESSFUL_DEPLOYMENT_CLIENT
- Contact the Splunk Admin to continue setup of the Inputs files as found here.