How to Install Splunk 7 on CentOS 7

in #splunk6 years ago (edited)

CentOS7 Configuration

Use this guide for setting up Splunk Enterprise on CentOS7. I use the minimal CD for installing CentOS7.

Configure a Hostname

Check the current hostname

# hostnamectl status

Set the hostname

# hostnamectl set-hostname splunk.server.local

Verify the hostname change

# hostnamectl status

Log out and log back in to ensure the hostname is displaying correctly.

Configure NTP

Configure NTP on the server.

# yum install -y ntp ntpdate

Edit the NTP configuration file. Replace the current NTP server addresses with localised Australian servers or the closest NTP server to your host.

# vi /etc/ntp.conf

server 0.au.pool.ntp.org
server 1.au.pool.ntp.org
server 2.au.pool.ntp.org
server 3.au.pool.ntp.org

Turn on the NTP daemon.

# systemctl start ntpd
# systemctl enable ntpd.service

Check the status of the NTP daemon

# systemctl status ntpd

Update the time at the command line if the NTP daemon has yet to be started.

# ntpdate 0.au.pool.ntp.org

Install the Time zone Package

Installing tzdata.noarch through yum will install the latest version. 

yum install -y tzdata.noarch

You should also check to make sure that the /etc/localtime link is pointing to a valid time zone. To do that, run the following command:

ls -altrh /etc/localtime

You should get a response similar to this (below), where <ZONE> is your time zone such as:

lrwxrwxrwx. 1 root root 39 Jan 19 15:57 /etc/localtime -> /usr/share/zoneinfo/Australia/Melbourne

If this is not correct, run the following commands as user root:

# source /etc/sysconfig/clock
# mv /etc/localtime /etc/localtime.old
# ln -s /usr/share/zoneinfo/Australia/Melbourne /etc/localtime
# ls -altrh /etc/localtime

Increase File descriptor limits (FDs) on *nix systems

Usually, the default file descriptor limit (controlled by the ulimit -n command on a *nix-based OS) is 1024. Your Splunk administrator should determine the correct level. View the current settings  with: 

# umlimit -a

I have seen the values change with different versions of Splunk so ensure you read Splunks documentation to ensure you have the correct minimum values.

Source: http://docs.splunk.com/Documentation/Splunk/7.1.2/Installation/SystemrequirementsO

n the default version of CentOS 7 I need to change the Open Files and User Processes.

# vi /etc/security/limits.conf

* soft nproc 16000
* hard nproc 16000
* soft nofile 64000
* hard nofile 64000

Update the OS

$ sudo yum update -y

Splunk Installation

Download Splunk

Create the Splunk User

# groupadd splunk
# useradd -c splunk_software_owner -g splunk -d /home/splunk -m -s /bin/bash splunk
# passwd splunk
# gpasswd -a splunk wheel

Create the Splunk Directory

The default installation directory is /opt/splunk/.Make sure that the user splunk has write and execute permission for the /opt/splunk/ directory. Change the owner and group of /opt/splunk/ to the splunk user and group by issuing the following commands while logged in as root:

# mkdir /opt/splunk
# chown splunk:splunk /opt/splunk

RPM Installation

Logon to the server as the splunk user and add execute the following:Verify the binary's hash.

[splunk@splunk ~]$ sudo yum install -y wget
[splunk@splunk ~]$ openssl dgst -md5 <filename-splunk-downloaded.zip>

or

[splunk@splunk ~]$ openssl dgst -sha512 <filename-splunk-downloaded.zip>
[splunk@splunk ~]$ chmod 744 splunk-*.rpm
[splunk@splunk ~]$ sudo rpm -i splunk-*.rpm
[splunk@splunk bin]$ sudo -H -u splunk /opt/splunk/bin/splunk start --accept-license

Firewall Modifications

  • splunkd runs a Web server on port 8089 with SSL/HTTPS turned on by default.
  • It also runs a Web server on port 8000 with SSL/HTTPS turned off by default.

Allow web access on port tcp 8000, syslog on udp 5514

# firewall-cmd --zone=public --permanent --add-port=8000/tcp
# firewall-cmd --zone=public --permanent --add-port=5514/udp

Forward syslog input to high port for non-root, allow port 80 for http

# firewall-cmd --direct --permanent --add-rule ipv4 nat PREROUTING 0 -p udp -m udp --dport 514 -j REDIRECT --to-ports 5514
# firewall-cmd --direct --permanent --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8000

Reload firewall

# firewall-cmd --reload

First Time Login

U/N: admin 

Sort:  

Thanks for sharing it. To be honest, I've tried following your guidelines, and they don't seem to be working on my machine.

Hey there! As a newbie in the world of CentOS7, I appreciate you sharing this guide on how to install Splunk 7. It looks like setting up the hostname and configuring NTP are crucial steps in the process. By the way, I heard that CentOS 7 has reached its end of life, which means no more updates or patches will be released. However, I also learned that TuxCare offers extended support for CentOS 7. You might want to check out their website https://tuxcare.com/extended-lifecycle-support/centos-7-extended-support/ to keep your system secure and up-to-date.