Let’s install Splunk on Debian 11 / 10 Linux operating system analyze data collected from various resources…
Splunk is security, information, and event management software (SIEM for short). It is a cross-platform solution that receives information from various sources and combines and visualizes the correlated information on a dashboard. The data processed by Splunk can also be enriched with the conventional data from relational databases.
Splunk understands machine data as well as the texts that people have created. Machine data is the information (unstructured data) that is generated during the operation of various systems (computers, mobile devices, network components, security appliances, measuring devices, etc.). When you talk about the machine data, you mostly talk about the logs.
Thus, SIEM means that you load all the log files of your devices into a large database and unify them. The SIEM warns you when something unusual occurs. You can analyze this data with Splunk to figure out what is going on.
Minimum Hardware requirements for Splunk single Enterprise instance. However, you can install it even on less than the mentioned resource to learn it.
- x86 64-bit with 12 physical CPU cores, or 24 vCPU at 2Ghz or greater speed per core.
- 12GB RAM.
- 1Gb Ethernet NIC
- 64-bit Linux or Windows
Step by Step Splunk installation on Debian Linux
1. Download Splunk Free for Linux
The free version of Splunk is available with all Enterprise features but for a limited period of time i.e 6o days after that, the user has to upgrade to continue for all features. Whereas, if you don’t then a free license with limited features will go on without any expiry. However, you will only allow to index 500 MB per day, there will be no searching; bulk loading of large data sets allows only 2 times within a 30 day period. Know more about a free license.
To install Splunk on Debian, the developers of this platform offers Deb binary that easily can be downloaded from the official website (link).
Alternatively, the users can use the below given wget command to get the free version of Splunk with trial Enterprise features.
wget -O splunk-8.2.1-ddff1c41e5cf-linux-2.6-amd64.deb 'https://www.splunk.com/page/download_track?file=8.2.1/linux/splunk-8.2.1-ddff1c41e5cf-linux-2.6-amd64.deb&ac=&wget=true&name=wget&platform=Linux&architecture=x86_64&version=8.2.1&product=splunk&typed=release''
2. Command to Install Splunk on Debian 11 or 10
As the downloaded file is .deb, thus we can use the APT package manager to install it.
Note: If you have downloaded this data analyses software on GUI Linux using the browser, the first switch to the Downloads directory using cd Downloads. Whereas the users got it using wgetcommand can simply run:
sudo apt install ./splunk-*-amd64.deb
3. Accept License, Enable Boot start and Set Admin user & password
Once the installation is completed, let’s run the script that will not only enable Splunk service at boot level but also let us set up login details- Admin user and its password. However, as the script starts press the Esc key and the Y to accept the license.
sudo /opt/splunk/bin/splunk enable boot-start
4. Access Spunk Web interface
Now, this data analytical platform is ready, lets’s access its web interface at localhost:8000, whereas the users who want to access Splunk Dashboard on some remote system, need to open port 8000 in the system firewall. For that run:
sudo ufw allow 8000
Note: If you get a command not found then first enable UFW, here is the article on it: Install and Configure UFW on Debian
After that:
For remote system browser – http://your-server-ip:8000
For Local system browser- http://localhost:8000
5. Login Admin account
The first screen you will get on your browser is to enter the Admin username and password set while configuring Splunk. Enter the same to log in.
6. Splunk Dashboard
Finally, you have the Splunk on your Debian or Ubuntu system, now click on Add Data to integrated the source of Data for analysis.
Uninstall Splunk Enterprise (optional)
sudo /opt/splunk/bin/splunk disable boot-start sudo apt remove splunk
From here you can refer to official Splunk documentation to know more…
