In a previous post, I described how is possible to manage at best vSphere logs. One of the most powerful tools existing on the market is for sure Splunk. The licensing model of Splunk is based on the daily amount of log an installed system can handle. There is a totally free license, limited to 500 Mb daily amount and without many additional modules (and the one for VMware is among those), or the Enterprise edition, starting from 500 Mb (and many more features) at 5000 USD for the perpetual license or 2000 USD for the year subscription, increasing then from here as log amount increases.
It’s not for sure a product for everybody, but its power really justifies its price.
In this first article, I will show you how to install and configure Splunk.
for my tests, I used a virtual machine with CentOS 6.4 64 bit. There are many supported operating systems, and you can also use Windows or Solaris, or even FreeBSD or Mac OS X.
Once you registered yourself into the Splunk website, you can download the installer binary, in my case an RPM file (38 MB in size). The installation requires really few prerequisites, and you can check everything before starting in this web page.
The installation process is really simple, since it’s only one command:
rpm -i splunk-5.0.2-149561-linux-2.6-x86_64.rpm
Once Splunk is installed, you can start it manually, or even better you can register Splunk as a service to be started at boot. To do so, the command is:
/opt/splunk/bin/splunk enable boot-start
In this way, Splunk is registered into the CentOS services, and to start it you can run the usual service syntax:
[root@splunk ~]# service splunk start
Splunk> Take the sh out of IT.
Checking http port : open
Checking mgmt port : open
Checking configuration... Done.
Validated databases: _audit _blocksignature _internal _thefishbucket history main summary
New certs have been generated in '/opt/splunk/etc/auth'.
Checking filesystem compatibility... Done
Checking conf files for typos... Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)... Done
[ OK ]
Starting splunkweb... Generating certs for splunkweb server
Generating a 1024 bit RSA private key
writing new private key to 'privKeySecure.pem'
Getting CA Private Key
unable to write 'random state'
writing RSA key
[ OK ]
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://splunk:8000
Once Splunk is started, as suggested during the service startup, you can login into the web interface to configure and manage it. After forcing the admin password change (excellent move!), you will find the startup page:
Going into the Manager menu in the upper right, you can configure the Licensing and Settings:
In the next articles, I will show you how to connect a vSphere environment to Splunk to collect and analyze data.