top of page
Search

Installing Splunk on Linux OS Using RPM on AWS

Writer's picture: John PadillaJohn Padilla
Jan 204 min read

  1. Creating an Instance on AWS 

    1. Go to AWS (https://aws.amazon.com/)

    2. Sign in

    3. In Search Tab look up “EC2”

    4. Click “Launch Instance”


      AWS Instance Setup
      AWS Instance Setup

    5. Name - whatever you’d like.. “Demo” for example

      1. Application and OS Images - Amazon Linux

      2. Instance Type - Change to t2.medium

      3. Key Pair

        1. Create a new key pair

          1. Key Pair Name: “Demo” for example

        2. Make sure to choose pem. File

    6. Network Settings

      1. Firewall(Security groups) : Create Security Group

      2. Ensure Allow SSH Traffic From is checked

        1. Select my IP

    7. Configure Storage

      1. 1 x 25 GiB (gp3)

    8. Click Launch Instance to the right (----> Orange Button)

    9. Configuring Security Groups

      1. Go Back to EC2 and click on your demo instance

      2. Go to security at the bottom of the page

      3. Click Security Groups that is attached

        • EXAMPLE: sg-077b35a0671d89ac7 - launch-wizard-25

      4.  Click on edit inbound rules

      5. Click on Add rule

      6. Put the following in the boxes as it appears

        • Type: Custom TCP

        • Port Range: 8000

        • Source: My IP

        • Description : Splunk Web Port

      7. Click Save Rules


    AWS Security Group
    AWS Security Group


  1. SSH Into the Terminal

    1. In AWS, go to EC2 Instances Page

      1. Click on your demo instance

      2. Click Connect


        Connecting To Splunk Instance
        Connecting To Splunk Instance

      3. Select SSH Client

      4. Step by Step Instructions how to log into your AWS instance from your SSH


        SSH Client Steps
        SSH Client Steps

    2. Open up your SSH Terminal

      1. Locate where your PEM file is that you downloaded from AWS.

      2. For most computers, it's saved in your Downloads Folder/Directory

      3. If using MAC Terminal

        1. Run the following to make sure your fie is here.

          1. chmod 400 "YOUR DOWNLOADED PEM FILE.pem"

            (EXAMPLE - chmod 400 "Environment.pem")

          2. ssh -i "/Users/<YOUR USERNAME ON YOUR MAC>/Downloads/<YOUR PEM FILE NAME>" ec2-user@ec2-54-86-34-135.compute-1.amazonaws.com

            (EXAMPLE: ssh -i "/Users/treysplunks/Downloads/Environment.pem" ec2-user@ec2-54-86-34-135.compute-1.amazonaws.com)

      4. If you are using Windows PC SSH Client (MobaXterm ideally)

        1. ssh -i "C:\\Users\<YOUR USERNAME ON YOUR MAC>\Downloads\<YOUR PEM FILE NAME>" ec2-user@ec2-54-86-34-135.compute-1.amazonaws.com

          (EXAMPLE: ssh -i "C:\Users\treysplunks\Downloads\Environment.pem" ec2-user@ec2-54-86-34-135.compute-1.amazonaws.com)



Logging into Splunk from a Linux/AWS Terminal


After creating an EC2 instance in AWS and logging into the Server you created in AWS

  • Log into Splunk.com and go to Free Downloads and Splunk Enterprise Download


    Splunk.com Downloading Splunk
    Splunk.com Downloading Splunk

  • Click on Linux and choose the WGET copy link next to the .rpm extension

  • Go back to the Terminal where you have your SSH session into your Splunk Server going.

  • You should currently be the ec2-user. Become root by running the following command

    • sudo su

  • Change directories and go to /tmp as this is the normal location for all temporary files. Run the following commands

    • cd /tmp

  • Let us ensure that wget is installed by running the following commands (The WGET command downloads the packages of Splunk Enterprise directly from Splunk.com Repository)

    • man wget (if a manual page comes up, WGET is installed. To exit press q.)

    • If you do not have wget already installed, you can install it by running

      • yum install -y wget

  • Paste your WGET command from clipboard that was copied from Splunk Enterprise

  • We need to confirm now that the package has been downloaded successfully. Run the ls -l (or simply ll)command to see that the package is there.

  • Install Splunk by running the following command

    •  rpm -ivh  <YOURSPLUNKPACKAGE>

      • EXAMPLE: rpm -ivh splunk-9.4.0-6b4ebe426ca6.x86_64.rpm

    • Wait until download is complete.. It may take a few minutes.

    • You should see something like this

      • Updating / installing...   1:splunk-9.4.0-6b4ebe426ca6        ################################# [100%]complete

  • After the rpm command finishes. Splunk should now be installed on your ec2 server.

  • Let’s move to the installed location which should be /opt. Run this command to go to that location

    • cd /opt/

  • We are going to confirm that Splunk has been installed on our server.

    • Run the ls or ll command to list out the folders or files in this /opt directory

  • Now that we have confirmed that Splunk is installed locally on our server. We will check the status of Splunk.

  • For an absolute execution, run the following

    • /opt/splunk/bin/splunk status

    • Once you run the Splunk status command, you will be prompted with accept license since this is the first time you are installing Splunk. Press SPACE bar to read through the text until you get to the bottom.

    • You will see something like this:

      • Do you agree with this license? [y/n]:

    • Type y to agree with license

  • You will be prompted to create an administrator username and then add a password. ]You will also have to confirm the password

    • Password must contain at least: 8 total printable ASCII character(s).

  • We need to enable Splunk Web SSL or otherwise Splunk will not be accessible on the web.

  •  Run the following command below to edit the Splunk Web file. We will use vim to edit the file. The vi command is for VIM a text editor in linux.

    • vi /opt/splunk/etc/system/local/web.conf

    • Press “i” to enter INSERT mode (You should see INSERT at the bottom)

  • Copy and paste the following inside of the file

    • [settings]

      enableSplunkWebSSL = true

  • Press “ESC” (Then the INSERT at the bottom of your screen should disappear)

  • Press shift and : (colon)

  • Press wq!  and press return/enter to exit and save VIM

  • Run the following to exit vi command


    Web.conf example
    Web.conf example

  • If you ran the absolute  execution above, run the following to Start Splunk

    • /opt/splunk/bin/splunk start

  • IMPORTANT: Please Read and Validate the output as Splunk is starting. You should see the following if you have not customized anything.

    • Checking http port [8000]: open

    • Checking mgmt port [8089]: open

    • Checking kvstore port [8191]: open

    • Checking appserver port [127.0.0.1:8065]: open

  • You should see something like this if WebSSL is enabled correctly

  • To confirm you are able to run splunk you would see something like this

  • Splunk operates at 8000 port number so enter - https://<YOURPUBLICIPV4ADDRESS>:8000

    EXAMPLE: https://54.86.34.135:8000


  • https://<YOURPUBLICIPV4DNS>:8000

    EXAMPLE: https://ec2-54-86-34-135.compute-1.amazonaws.com:8000



  • Log in with username and password into Splunk

  • Happy Splunking

32 views0 comments

Recent Posts

See All

Comments

bottom of page