I started by installing two fresh copies of CentOS 5.5 on two different VM’s in VirtualBox. The configuration I chose was: 512MB RAM with 2 CPU cores and they were both identical.
Fig. 1 – VM Snapshot.
Fig. 2 – For the purpose of this tutorial we called the server machine “server1”.
Step 1: Go to http://www.splunk.com/download and download splunk-5.0.2-149561-linux-2.6-x86_64.rpm or whatever the latest version of Splunk is after you sign up for an account.
Fig 3 – Downloading the rpm file with wget
Step 2: Install splunk using: rpm –I splunk-5.0.2.rpm
Fig 4 – Splunk installation
Step 3: Start splunk using: /opt/splunk/bin/splunk start and on the first run you have to agree to the license.
Fig 5 – Splunk starting and adding to boot
Step 4: Allow port 8000 and 8089 through iptables
Fig 6 – iptables
Step 5: Go to web interface and login with default user/password and change password.
Fig 7 – Splunk welcome page
Go to Launch search app.
Click A file or directory of files
Consume any file on the splunk server
And as path to your data I used /var/log/
This is the configuration to handle local logs
Step 6: Enable receiving on Splunk server
Fig 8 – Enabled receiving on port 9997 and configured iptables
Installing Splunk Universal Forwarder on CentOS 5.5
We moved to server2 to install Splunk Universal Forwarder.
Step 1: Download Splunk Forwarder from http://www.splunk.com/download/universalforwarder
Fig 1 – Downloading Universal Forwarder
Step 2: Start Universal Forwarder using /opt/splunkforwarder/bin/splunk start
First time you will have to agree to the license.
Fig 2 – Starting Universal Forwarder and enabled start at boot
Step 3: Add your index server with /opt/splunkforwarder/bin/splunk add forward-server 192.168.1.115:9997 (where 192.168.1.115 = server1 )
Fig 3 – Adding forward-server and monitor
Now if you go back to http://server1:8000 and login and go to Launch search app you should have the log files indexed from server1 and server2 like in the next screenshot.