Splunk 설치

✔️ Splunk 5.0.3, CentOS 5에서 테스트하였습니다.

Splunk 설치
스플렁크 설치, 스플렁크 서버 설치

권장사양

Splunk 서버의 권장사양은 다음과 같다.

리눅스: 1.4 GHz x 1CPU, 1GB 이상
윈도우: 2.0 GHz x 1CPU, 2GB 이상^[1]

여기서는 리눅스(CentOS)에 설치할 예정이다.

다운로드

브라우저에서 https://www.splunk.com 접속
우상단 [Login] 클릭
Username, Password 입력 --- [Login]^[2]
우상단 [FREE DOWNLOAD] 클릭
splunk 아래 [Free Download] 클릭
splunk-5.0.3-163460-linux-2.6-x86_64.rpm 클릭하여 다운로드 시작(38.4 MB)^[3]

설치

splunk-5.0.3-163460-linux-2.6-x86_64.rpm를 서버로 업로드

[root@zetawiki ~]# rpm -ivh splunk-5.0.3-163460-linux-2.6-x86_64.rpm
warning: splunk-5.0.3-163460-linux-2.6-x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 653fb112
Preparing...                ########################################### [100%]
   1:splunk                 ########################################### [100%]
-------------------------------------------------------------------------
Splunk has been installed in:
        /opt/splunk

To start Splunk, run the command:
        /opt/splunk/bin/splunk start


To use the Splunk Web interface, point your browser to:
    http://splunk:8000


Complete documentation is at http://docs.splunk.com/Documentation/Splunk
-------------------------------------------------------------------------

최초 실행

[root@zetawiki ~]# /opt/splunk/bin/splunk start --accept-license

This appears to be your first time running this version of Splunk.
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 1024 bit long modulus
..++++++
......++++++
e is 65537 (0x10001)
writing RSA key

Generating RSA private key, 1024 bit long modulus
.................++++++
........++++++
e is 65537 (0x10001)
writing RSA key

Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.

Splunk> See your world.  Maybe wish you hadn't.

Checking prerequisites...
	Checking http port [8000]: open
	Checking mgmt port [8089]: open
	Checking configuration...  Done.
	Checking indexes...
		Creating: /opt/splunk/var/lib/splunk
		Creating: /opt/splunk/var/run/splunk
		Creating: /opt/splunk/var/run/splunk/appserver/i18n
		Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
		Creating: /opt/splunk/var/run/splunk/upload
		Creating: /opt/splunk/var/spool/splunk
		Creating: /opt/splunk/var/spool/dirmoncache
		Creating: /opt/splunk/var/lib/splunk/authDb
		Creating: /opt/splunk/var/lib/splunk/hashDb
		Validated databases: _audit _blocksignature _internal _thefishbucket history main summary
	Done
New certs have been generated in '/opt/splunk/etc/auth'.
	Checking filesystem compatibility...  Done
	Checking conf files for typos...  	Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  Done
                                                           [  OK  ]
Starting splunkweb...  Generating certs for splunkweb server
Generating a 1024 bit RSA private key
............++++++
.................................................++++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=splunk/O=SplunkUser
Getting CA Private Key
writing RSA key
                                                           [  OK  ]
Done

If you get stuck, we're here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://jmnote:8000

[root@zetawiki ~]# netstat -anp | grep 80
tcp        0      0 0.0.0.0:8000                0.0.0.0:*                   LISTEN      2080/python         
tcp        0      0 0.0.0.0:8089                0.0.0.0:*                   LISTEN      2021/splunkd

→ 8000 포트이 웹용, 8089 포트가 관리용이다.^[4]

자동 시작 설정

재부팅시에 자동으로 시작되도록 하자.

[root@zetawiki ~]# /opt/splunk/bin/splunk enable boot-start
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.

→ 서비스로 등록되고 자동시작 설정이 되었다고 한다.

[root@zetawiki ~]# service splunk status
Splunk status:
splunkd is running (PID: 2021).
splunk helpers are running (PIDs: 2022).
splunkweb is running (PID: 2080).

[root@zetawiki ~]# chkconfig --list | grep splunk
splunk         	0:off	1:off	2:on	3:on	4:on	5:on	6:off

→ 잘 설정되어 있음을 확인할 수 있다.

웹 접속

브라우저에서 http://서버주소:8000 으로 접속

→ 잘 접속된다. (접속이 안된다면 방화벽을 확인해보자)

→ admin // changeme 으로 로그인해보자.

같이 보기

주석

↑ http://docs.splunk.com/Documentation/Splunk/5.0.3/Installation/SystemRequirements#Recommended_hardware
↑ 계정이 없다면 가입해야 한다. [Sign Up Now]
↑ OS에 맞는 설치본 선택. 필자는 리눅스 64비트용을 선택함
↑ http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Changedefaultvalues#Change_network_ports

참고

[1] ttp://docs.splunk.com/Documentation/Splunk/5.0.3/Installation/SystemRequirements#Recommended_hardware

[2] 계정이 없다면 가입해야 한다. [Sign Up Now]

[3] OS에 맞는 설치본 선택. 필자는 리눅스 64비트용을 선택함

[4] ttp://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Changedefaultvalues#Change_network_ports

[1]

[2]

[3]

[4]