Trying Splunk Cloud
Splunk Cloud is the company’s hosted Splunk offering, residing in Amazon Web Services (AWS). You can register for a 15 day free trial of Splunk Cloud that will index 5 GB per day.
If you would like to follow along, you will need a computer with a Web browser to interact with Splunk Cloud. (There may be ways to interact via API, but I do not cover that here.)
I will collect logs from a virtual machine running Debian 9, inside Oracle VirtualBox.
First I registered for the free Splunk Cloud trial online.
After I had a Splunk Cloud instance running, I consulted the documentation for Forward data to Splunk Cloud from Linux. I am running a “self-serviced” instance and not a “managed instance,” i.e., I am the administrator in this situation.
I learned that I needed to install a software package called the Splunk Universal Forwarder on my Linux VM.
I downloaded a 64 bit Linux 2.6+ kernel .deb file to the /home/Downloads directory on the Linux VM.
richard@debian:~$ cd Downloads/
With elevation permissions I created a directory for the .deb, changed into the directory, and installed the .deb using dpkg.
richard@debian:~/Downloads$ sudo bash
[sudo] password for richard:
root@debian:/home/richard/Downloads# mkdir /opt/splunkforwarder
root@debian:/home/richard/Downloads# mv splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb /opt/splunkforwarder/
root@debian:/home/richard/Downloads# cd /opt/splunkforwarder/
root@debian:/opt/splunkforwarder# dpkg -i splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb
Selecting previously unselected package splunkforwarder.
(Reading database … 141030 files and directories currently installed.)
Preparing to unpack splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb …
Unpacking splunkforwarder (7.1.0) …
Setting up splunkforwarder (7.1.0) …
Next I changed into the bin directory, ran the splunk binary, and accepted the EULA.
root@debian:/opt/splunkforwarder# cd bin/
btool copyright.txt openssl slim splunkmon
btprobe genRootCA.sh pid_check.sh splunk srm
bzip2 genSignedServerCert.sh scripts splunkd
classify genWebCert.sh setSplunkEnv splunkdj
root@debian:/opt/splunkforwarder/bin# ./splunk start
SPLUNK SOFTWARE LICENSE AGREEMENT
THIS SPLUNK SOFTWARE LICENSE AGREEMENT (“AGREEMENT”) GOVERNS THE LICENSING,
INSTALLATION AND USE OF SPLUNK SOFTWARE. BY DOWNLOADING AND/OR INSTALLING SPLUNK
SOFTWARE: (A) YOU ARE INDICATING THAT YOU HAVE READ AND UNDERSTAND THIS
Splunk Software License Agreement 04.24.2018
Do you agree with this license? [y/n]: y
Now I had to set an administrator password for this Universal Forwarder instance. I will refer to it as “mypassword” in the examples that follow although Splunk does not echo it to the screen below.
This appears to be your first time running this version of Splunk.
An Admin password must be set before installation proceeds.
Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:
Splunk> Map. Reduce. Recycle.
Checking mgmt port : open
New certs have been generated in ‘/opt/splunkforwarder/etc/auth’.
Checking conf files for problems…
Checking default conf files for edits…
Validating installed files against hashes from ‘/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest’
All installed files intact.
All preliminary checks passed.
Starting splunk server daemon (splunkd)…
Update: I installed the Universal Forwarder on FreeBSD 11.1 using the method above (except with a FreeBSD .tgz) and everything seems to be working!