Splunk, Linux Security and Data Visualization

Here are the instructions for installing Splunk on Linux Mint or Ubuntu. In my case I have Linux Mint 19.1 installed on an ASUS desktop and also on an ASUS netbook. This code will work for any distros based on Ubuntu 18.04 and very likely work for future versions too unless there are major changes to Ubuntu

To set up your free Splunk account type “splunk downloads page” into a web browser. You should be taken to a page that looks like the one below. Create a free Splunk account by filling in the boxes below and clicking on the green box that says “Free Splunk”.

 

 

Choose the option that says download Splunk Enterprise for free. When you download Splunk Enterprise for free, you get a Splunk Enterprise license for 60 days that lets you index up to 500 megabytes of data per day.

When the free trial ends, you can convert to a perpetual Free license or purchase an Enterprise license to continue using the expanded functionality designed for multi-user deployments.

You will be taken to the page below. Chose your operating system. For this post I will be choosing Linux.

 

 

For Ubuntu choose the tarball option which is the tgz file.

 

 

Start the download but copy the wget link so that you can enter the code into the terminal to download it. This is what I had shown underneath in bold:

wget -O splunk-7.3.0-657388c7a488-Linux-x86_64.tgz ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.3.0&product=splunk&filename=splunk-7.3.0-657388c7a488-Linux-x86_64.tgz&wget=true’

 

Copy the link into the terminal

Put sudo in front of the wget command, then tab to the end of the command and hit enter

Put your password in and then the tarball will download

Once it has downloaded do the following command to make sure it is there

ls

The area in bold is how mine looked:

mike@mike-VM40B:~$ ls

Desktop my_example.csv splunk-7.3.0-657388c7a488-Linux-x86_64.tgz

Documents Pictures Templates

Downloads Public Videos

julia-1.1.0 R ‘VirtualBox VMs’

Music saved_df.csv

mike@mike-VM40B:~$

Then copy it to the opt directory which is where third party software goes – use the following command

sudo cp splunk-7.3.0-657388c7a488-Linux-x86_64.tgz /opt

Then go to the opt directory to make sure it is there

Do this with the following code

cd /opt

Type in ls to list

ls

This is what mine showed underneath  in bold:

mike@mike-VM40B:/opt$ ls

splunk-7.3.0-657388c7a488-Linux-x86_64.tgz sublime_text

mike@mike-VM40B:/opt$

Use the following command to untar (unzip) the file

sudo tar -xvzf splunk-7.3.0-657388c7a488-Linux-x86_64.tgz

x = extract

v = verbose

z = use compress program

f = filter through gzip

Note that Ubuntu uses gzip. If you are using another version of Linux such as Centos or Fedora you will need to substitute a j where there is a z

Once the tarball has unzipped type ls to list the opt directory

mike@mike-VM40B:/opt$ ls

splunk splunk-7.3.0-657388c7a488-Linux-x86_64.tgz sublime_text

mike@mike-VM40B:/opt$

Type the following code to move to the Splunk directory

cd splunk

Type ls to list the contents of the directory to make sure all the Splunk directories are there. The area in bold is how mine looked:

mike@mike-VM40B:/opt/splunk$ ls

bin copyright.txt etc ftr include lib license-eula.txt openssl README-splunk.txt share splunk-7.3.0-657388c7a488-linux-2.6-x86_64-manifest

mike@mike-VM40B:/opt/splunk$

 

To start Splunk running switch to the bin directory as follows

cd bin

mike@mike-VM40B:/opt/splunk$ cd bin

mike@mike-VM40B:/opt/splunk/bin$

 

Then type the following code to start Splunk

sudo ./splunk start –accept-license

You will then need to create a user name and a password for Splunk admin account

Once you have entered those it will run in the terminal. This may take a few minutes and then it will contact Splunk and give you the web address that you need to go to when you start Splunk. This should end in 8000.

Copy and paste this into a web browser and a screen will open up asking for the user name and password you just created. Enter those and then you are live in Splunk. Save this as a shortcut on your browser

When I did this on my desktop it did not start Splunk the first time. I typed the following code in again and this time it started.

sudo ./splunk start

You should now have Splunk up and running.

When you are done you can shut the terminal and shut down your web browser.

 

The instructions below tell you what to do to start Splunk for each new session

First go to Splunk.com and sign in

Then enter the following two lines of code into the terminal to start Splunk. This takes several seconds. Then the terminal will output the browser page to go to, which will be the same every time, then Splunk is running for you. At that point you can go straight to your browser. If you have a shortcut set up on the page for Splunk home then click on that and Splunk will be running for you. If you didn’t set up a shortcut page then copy the link from your terminal into your web browser.

cd /opt/splunk/bin

sudo ./splunk start

You can put these two lines of code into a single line by joining them as follows:

cd /opt/splunk/bin; sudo ./splunk start

If anyone has any problems getting Splunk up and running then please contact me and we can troubleshoot it and get you started.