I have both educational and hands-on experience with SPLUNK SIEM via my Coursera certificate and my personal installation, configuration, and implementation of Splunk in an Ubuntu Linux system.
The files are available for download from the Splunk website. I chose to install the local file so that I have more hands-on experience but there is a cloud trial version available at: “https://www.splunk.com/en_us/download/splunk-cloud/cloud-trial.html”.
This local installation into Linux was difficult. First I downloaded the Debian installer file from the Splunk website and tried to install it to the “/opt” directory. The install gave me multiple errors including multiple permission and missing file errors.
Next I downloaded the zipped (tar tgz file) and unzipped it from the Download folder using the “tar xvzf splunk.tgz -C /opt” command with the intention of extracting the whole archive to the “/opt” directory on my Linux system. However, the “-C” switch (which is what the website install video shows) created all the directories under “/opt”, so I no longer had an “/etc” directory under Splunk. (Caution: since there are “etc” and “var” and “bin” directories within the splunk application, make sure you do not alter your base directories if you are making changes in Linux via the command line instead of using a GUI interface).
After I tried that and it didn’t work, I moved the tar file to the opt directory and extracted it there without the “-C” switch. In each case I am still getting an error on the environment path location for $SPLUNK_HOME and $SPLUNK_ETC, so I had to use the export command to temporarily link these variables to their respective directories of “/opt/splunk/” (for the HOME bin file), and “/opt/splunk/etc”.
That showed some progress when I tried to run the CLI command “./splunk start –accept-license” from the “/opt/splunk/bin” directory, but this time I got several other errors that splunk could not access the log directory and others and certain files were missing. Determined to succeed, I manually created the missing files with the “touch” command, and I created missing directories using the “mkdir” command. At this point these files and directories were owned by my user and root ID so I had to use the “ls -l” command to see the name of the user that the install created, which was a numeric “name” of 10777. Then I went back and changed the owner on each directory, sub directory, and file to 10777. After that I needed to change the permissions on the directories and files so that Splunk could write to them. Most of the directories had permissions of rwxr-xr-x by default but the log files also needed write permission.
FINALLY after a couple hours of manipulation I was able to get Splunk to work. Once the Splunk web server booted, I could access it through my browser at “127.0.0.1:8000”. At that point I created my new Dashboard and connected it to watch certain folders on my local PC.
I was able to install it a different way by ignoring the error that the $HOME and $ETC paths were missing but I then had to run it as “sudo” (root) but it worked perfectly without creating any additional files. I’m guessing that because I installed it into the “/opt” directory (which has the owner of “root”) that I had to use “sudo” to run the “./splunk start” command. I’m thinking that what I should have done is to create a new user (perhaps named “splunk1”) and possibly a user group that does not have “root” or “sudo” access and then install it as that user. I believe the Splunk SIEM would then run correctly without any root access.
I also installed the Splunk Universal Forwarder on another PC and set it to forward information to my main Splunk Enterprise server at the IP address of my computer on port 9997 (default).
Note that if this was a production install that one should verify the hash of the downloaded zip file against the file hash signature posted on the website, but I just needed a local install on my own computer so I could gain hands-on experience with Splunk.