How to Install Splunk 7 on CentOS 7
CentOS7 Configuration
Use this guide for setting up Splunk Enterprise on CentOS7. I use the minimal CD for installing CentOS7.
Configure a Hostname
Check the current hostname
# hostnamectl status
Set the hostname
# hostnamectl set-hostname splunk.server.local
Verify the hostname change
# hostnamectl status
Log out and log back in to ensure the hostname is displaying correctly.
Configure NTP
Configure NTP on the server.
# yum install -y ntp ntpdate
Edit the NTP configuration file. Replace the current NTP server addresses with localised Australian servers or the closest NTP server to your host.
# vi /etc/ntp.conf
server 0.au.pool.ntp.org
server 1.au.pool.ntp.org
server 2.au.pool.ntp.org
server 3.au.pool.ntp.org
Turn on the NTP daemon.
# systemctl start ntpd
# systemctl enable ntpd.service
Check the status of the NTP daemon
# systemctl status ntpd
Update the time at the command line if the NTP daemon has yet to be started.
# ntpdate 0.au.pool.ntp.org
Install the Time zone Package
Installing tzdata.noarch through yum will install the latest version.
yum install -y tzdata.noarch
You should also check to make sure that the /etc/localtime link is pointing to a valid time zone. To do that, run the following command:
ls -altrh /etc/localtime
You should get a response similar to this (below), where <ZONE> is your time zone such as:
lrwxrwxrwx. 1 root root 39 Jan 19 15:57 /etc/localtime -> /usr/share/zoneinfo/Australia/Melbourne
If this is not correct, run the following commands as user root:
# source /etc/sysconfig/clock
# mv /etc/localtime /etc/localtime.old
# ln -s /usr/share/zoneinfo/Australia/Melbourne /etc/localtime
# ls -altrh /etc/localtime
Increase File descriptor limits (FDs) on *nix systems
Usually, the default file descriptor limit (controlled by the ulimit -n command on a *nix-based OS) is 1024. Your Splunk administrator should determine the correct level. View the current settings with:
# umlimit -a
I have seen the values change with different versions of Splunk so ensure you read Splunks documentation to ensure you have the correct minimum values.
Source: http://docs.splunk.com/Documentation/Splunk/7.1.2/Installation/SystemrequirementsO
n the default version of CentOS 7 I need to change the Open Files and User Processes.
# vi /etc/security/limits.conf
* soft nproc 16000
* hard nproc 16000
* soft nofile 64000
* hard nofile 64000
Update the OS
$ sudo yum update -y
Splunk Installation
Download Splunk
Create the Splunk User
# groupadd splunk
# useradd -c splunk_software_owner -g splunk -d /home/splunk -m -s /bin/bash splunk
# passwd splunk
# gpasswd -a splunk wheel
Create the Splunk Directory
The default installation directory is /opt/splunk/.Make sure that the user splunk has write and execute permission for the /opt/splunk/ directory. Change the owner and group of /opt/splunk/ to the splunk user and group by issuing the following commands while logged in as root:
# mkdir /opt/splunk
# chown splunk:splunk /opt/splunk
RPM Installation
Logon to the server as the splunk user and add execute the following:Verify the binary's hash.
[splunk@splunk ~]$ sudo yum install -y wget
[splunk@splunk ~]$ openssl dgst -md5 <filename-splunk-downloaded.zip>
or
[splunk@splunk ~]$ openssl dgst -sha512 <filename-splunk-downloaded.zip>
[splunk@splunk ~]$ chmod 744 splunk-*.rpm
[splunk@splunk ~]$ sudo rpm -i splunk-*.rpm
[splunk@splunk bin]$ sudo -H -u splunk /opt/splunk/bin/splunk start --accept-license
Firewall Modifications
- splunkd runs a Web server on port 8089 with SSL/HTTPS turned on by default.
- It also runs a Web server on port 8000 with SSL/HTTPS turned off by default.
Allow web access on port tcp 8000, syslog on udp 5514
# firewall-cmd --zone=public --permanent --add-port=8000/tcp
# firewall-cmd --zone=public --permanent --add-port=5514/udp
Forward syslog input to high port for non-root, allow port 80 for http
# firewall-cmd --direct --permanent --add-rule ipv4 nat PREROUTING 0 -p udp -m udp --dport 514 -j REDIRECT --to-ports 5514
# firewall-cmd --direct --permanent --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8000
Reload firewall
# firewall-cmd --reload
First Time Login
U/N: admin
Thanks for sharing it. To be honest, I've tried following your guidelines, and they don't seem to be working on my machine.
Hey there! As a newbie in the world of CentOS7, I appreciate you sharing this guide on how to install Splunk 7. It looks like setting up the hostname and configuring NTP are crucial steps in the process. By the way, I heard that CentOS 7 has reached its end of life, which means no more updates or patches will be released. However, I also learned that TuxCare offers extended support for CentOS 7. You might want to check out their website https://tuxcare.com/extended-lifecycle-support/centos-7-extended-support/ to keep your system secure and up-to-date.