VMware admin / Splunk noob: install and configure Splunk

0 Flares Twitter 0 Facebook 0 LinkedIn 0 Email -- 0 Flares ×

In a previous post, I described how is possible to manage at best vSphere logs. One of the most powerful tools existing on the market is for sure Splunk. The licensing model of Splunk is based on the daily amount of log an installed system can handle. There is a totally free license, limited to 500 Mb daily amount and without many additional modules (and the one for VMware is among those), or the Enterprise edition, starting from 500 Mb (and many more features) at 5000 USD for the perpetual license or 2000 USD for the year subscription, increasing then from here as log amount increases.

It’s not for sure a product for everybody, but its power really justifies its price.

In this first article, I will show you how to install and configure Splunk.

for my tests, I used a virtual machine with CentOS 6.4 64 bit. There are many supported operating systems, and you can also use Windows or Solaris, or even FreeBSD or Mac OS X.

Once you registered yourself into the Splunk website, you can download the installer binary, in my case an RPM file (38 MB in size). The installation requires really few prerequisites, and you can check everything before starting in this web page.

The installation process is really simple, since it’s only one command:

rpm -i splunk-5.0.2-149561-linux-2.6-x86_64.rpm

Once Splunk is installed, you can start it manually, or even better you can register Splunk as a service to be started at boot. To do so, the command is:

/opt/splunk/bin/splunk enable boot-start

In this way, Splunk is registered into the CentOS services, and to start it you can run the usual service syntax:

[root@splunk ~]# service splunk start
Starting Splunk...
Splunk> Take the sh out of IT.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking indexes...
Creating: /opt/splunk/var/lib/splunk
Creating: /opt/splunk/var/run/splunk
Creating: /opt/splunk/var/run/splunk/appserver/i18n
Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunk/var/run/splunk/upload
Creating: /opt/splunk/var/spool/splunk
Creating: /opt/splunk/var/spool/dirmoncache
Creating: /opt/splunk/var/lib/splunk/authDb
Creating: /opt/splunk/var/lib/splunk/hashDb
Validated databases: _audit _blocksignature _internal _thefishbucket history main summary
New certs have been generated in '/opt/splunk/etc/auth'.
Checking filesystem compatibility... Done
Checking conf files for typos... Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)... Done
[ OK ]
Starting splunkweb... Generating certs for splunkweb server
Generating a 1024 bit RSA private key
writing new private key to 'privKeySecure.pem'
Signature ok
Getting CA Private Key
unable to write 'random state'
writing RSA key
[ OK ]
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://splunk:8000


Once Splunk is started, as suggested during the service startup, you can login into the web interface to configure and manage it. After forcing the admin password change (excellent move!), you will find the startup page:

Splunk Home Page

Going into the Manager menu in the upper right, you can configure the Licensing and Settings:

Splunk Manager options

In the next articles, I will show you how to connect a vSphere environment to Splunk to collect and analyze data.

One thought on “VMware admin / Splunk noob: install and configure Splunk

  1. Pretty! This has been an incredibly wonderful post.
    Many thanks for providing this information.

Comments are closed.