In a previous post, I described how is possible to manage at best vSphere logs. One of the most powerful tools existing on the market is for sure Splunk. The licensing model of Splunk is based on the daily amount of log an installed system can handle. There is a totally free license, limited to 500 Mb daily amount and without many additional modules (and the one for VMware is among those), or the Enterprise edition, starting from 500 Mb (and many more features) at 5000 USD for the perpetual license or 2000 USD for the year subscription, increasing then from here as log amount increases.
It’s not for sure a product for everybody, but its power really justifies its price.
In this first article, I will show you how to install and configure Splunk.
for my tests, I used a virtual machine with CentOS 6.4 64 bit. There are many supported operating systems, and you can also use Windows or Solaris, or even FreeBSD or Mac OS X.
Once you registered yourself into the Splunk website, you can download the installer binary, in my case an RPM file (38 MB in size). The installation requires really few prerequisites, and you can check everything before starting in this web page.
The installation process is really simple, since it’s only one command:
rpm -i splunk-5.0.2-149561-linux-2.6-x86_64.rpm
Once Splunk is installed, you can start it manually, or even better you can register Splunk as a service to be started at boot. To do so, the command is:
/opt/splunk/bin/splunk enable boot-start
In this way, Splunk is registered into the CentOS services, and to start it you can run the usual service syntax:
[root@splunk ~]# service splunk start Starting Splunk... Splunk> Take the sh out of IT. Checking prerequisites... Checking http port : open Checking mgmt port : open Checking configuration... Done. Checking indexes... Creating: /opt/splunk/var/lib/splunk Creating: /opt/splunk/var/run/splunk Creating: /opt/splunk/var/run/splunk/appserver/i18n Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css Creating: /opt/splunk/var/run/splunk/upload Creating: /opt/splunk/var/spool/splunk Creating: /opt/splunk/var/spool/dirmoncache Creating: /opt/splunk/var/lib/splunk/authDb Creating: /opt/splunk/var/lib/splunk/hashDb Validated databases: _audit _blocksignature _internal _thefishbucket history main summary Done New certs have been generated in '/opt/splunk/etc/auth'. Checking filesystem compatibility... Done Checking conf files for typos... Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Done [ OK ] Starting splunkweb... Generating certs for splunkweb server Generating a 1024 bit RSA private key ..............................................................++++++ ............................................................++++++ writing new private key to 'privKeySecure.pem' ----- Signature ok subject=/CN=splunk/O=SplunkUser Getting CA Private Key unable to write 'random state' writing RSA key [ OK ] Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at http://splunk:8000
Once Splunk is started, as suggested during the service startup, you can login into the web interface to configure and manage it. After forcing the admin password change (excellent move!), you will find the startup page:
Going into the Manager menu in the upper right, you can configure the Licensing and Settings:
In the next articles, I will show you how to connect a vSphere environment to Splunk to collect and analyze data.