Splunk Enterprise Fundamentals: Standalone Deployment - part 1
Updated: Apr 23, 2020
In the first and second edition of Splunk Fundamentals, we covered the different pieces of hardware and how data retention works. In this edition, we will be looking at the most basic of deployments, Standalone.
In an organisation you will more likely use a distributed deployment, even clustering. Standalone deployments have very specific requirements. See here for further detail on Splunk Enterprise Deployments.
Note: due to the length of this blogpost, I've decided to separate into two posts.
Step 1: Security by Design
Design your deployment to reduce risks, consider the following points:
Planning a head of how the patch management will be handled.
Follow the principle of least privilege
Include Splunk into the Business Continuity and Disaster Recovery Plans.
Include port numbers required in the Splunk deployment in your security considerations.
Here’s the default ports (See Splunk Answers here for a diagram):
8000 Web Interface
8089 Deployment Server
8089 Search Head
9997 Universal Forwarders
Step 2: Top-level Understanding
Remember, it’s all fine and dandy to have a pretty server with blinky lights, however the stakeholders that are paying for these blinky lights might like to know if it’s working. Best way to do that, include those stakeholders in the design phase on what reports they will require, and at what frequency. Remember, to maintain confidence in your capabilities, show how often you fix issues before anyone notices. Make sure they know what to expect from the deployment.
If its your living room deployment, make sure your ferret/cat/dog is happy with the results!
Step 3: Install the "Hardware"
I don't actually talk about hardware in this post, but see here for Hardware Requirements!
As for OS, use Linux. The online documentation is on Linux, its designed how you would expect it on Linux. If you have Splunk running on a Windows server, and Mac or Linux systems you have to run this script each time the daemon starts to fix permissions… It's annoying, especially when starting out.
Exceptions: if your patch management system cannot handle Linux. If those maintaining Splunk do not understand Linux. All other reasons you feel is an acceptable reason, because really it's your deployment, and I can't make you do anything.
In this example, I have a VirtualBox Kali instance, simply because it was available this second.
Configure your locked down system, including updates, make sure you’re happy and then continue.
Step 4: Install Splunk
If you've chosen Windows, MacOS, or Red Hat, or you're struggling with following along - check out Splunk Docs on Splunk Installation.
If you've chosen a debian-based Linux: login, go to the download page and select the appropriate version.
If you'd like to install via command line, click through the download and there will also be an option use the command line to download. The reason you need to do this, is it will provide the direct download link. Command line install uses wget.
To install the package via commandline: tar xvzf splunk_[version].tgz -C /opt
For your first time starting Splunk, navigate to $SPLUNK_HOME, which if you've followed my guide is /opt/splunk/, then under ./bin. Following which, you can run the following command: ./splunk enable boot-start --no-prompt --accept-license -user [username]
What is the -user flag for? This allows you to set the user that the Splunk daemon is to run as. It's recommended not to use a privileged user, check out Run Splunk Enterprise as a different or non-root user to learn how.
This is the end of Splunk Enterprise Fundamentals: Standalone deployment - part 1. Please see Splunk Enterprise Fundamentals: Standalone deployment - part 2 for configuring Splunk.