Skip to content

Splunk Server & Forwarder on AWS EC2

Published on Leave a comment on Splunk Server & Forwarder on AWS EC2

Install and Setup Splunk Enterprise Server and Splunk Universal Forwarder on an AWS EC2 instance.

Link to my notes on Notion

Video on YouTube

Index

  • Create EC2 Instance
  • Splunk Enterprise Server
  • Splunk Universal Forwarder

Create EC2 Instance

  • Launch creation of an EC2 instance - Launch Instance
  • Set Name as splunk and leave the rest of the defaults
  • Set Key pair as one you created or Create a new key pair (RSA and .pem format) and Launch Instance button to create the EC2 instance
  • Navigate to the new instance and grab the public IPv4 address
  • SSH into the instance
  • Perform an update
sudo yum update

Splunk Enterprise

  • Navigate to Linux and click the Download button for .rpm
  • Cancel the download prompt and get the wget command to download Splunk
  • Execute the wget in the terminal to download the install file, and then install the splunk .rpm file.
wget -O splunk-9.0.2-17e00c557dc1-linux-2.6-x86_64.rpm "https://download.splunk.com/products/splunk/releases/9.0.2/linux/splunk-9.0.2-17e00c557dc1-linux-2.6-x86_64.rpm"

sudo yum install ./splunk-9.0.2-17e00c557dc1-linux-2.6-x86_64.rpm
  • start the splunk server
sudo bash

cd /opt/splunk/bin

./splunk start --accept-license --answer-yes
  • Enter administrator username and password, remember this because you will need this to log into the application
  • In AWS navigate to the EC2 instance Security groups
  • Edit inbound rules
  • Add rule to open port 8000 and Save rules
  • Under messages will see this message, will need to fix this for Splunk to work
  • Navigate to Settings > Server settings and then General settings
  • Under Index settings set Pause indexing if free disk space from 5000 to 50 and Save

Splunk Universal Forwarder

  • Select Linux, then in the 64-bit section click the Download button for .rpm
  • Cancel the download popup window and then copy the wget command
  • Open the terminal, exit from the root user and go back to the home directory
  • Execute the wget and after install the forwarder
wget -O splunkforwarder-9.0.2-17e00c557dc1-linux-2.6-x86_64.rpm "https://download.splunk.com/products/universalforwarder/releases/9.0.2/linux/splunkforwarder-9.0.2-17e00c557dc1-linux-2.6-x86_64.rpm"

sudo yum install ./splunkforwarder-9.0.2-17e00c557dc1-linux-2.6-x86_64.rpm
  • Change to the splunkforwarder bin directory and start the forwarder
sudo bash

cd /opt/splunkforwarder/bin

./splunk start --accept-license --answer-yes
  • Enter username and password
  • Set the port for the forwarder to 9089, this is to keep splunk server from conflicting with the splunk forwarder
  • Set the forwarder to forward to the splunk server on port 9997, and will need to enter username and password
./splunk add forward-server 3.137.207.15:9997
  • Set the forwarder to monitor the /var/log directory and restart
./splunk add monitor /var/log

./splunk restart
  • Set the port for the splunk server to listen and restart
cd /opt/splunk/bin

./splunk enable listen 9997

./splunk restart
  • In AWS navigate to Security groups and again Edit Inbound rules
  • Add port 9997 and Save rules
  • Log into splunk again
  • Go to the splunk home
  • Go to Search & Reporting
  • Select the Data Summary button
  • Under the Hosts tab there should be the server and forwarder and select the first ip location link
  • There should be logs from the /var/log location in the list

Leave a Reply

Your email address will not be published. Required fields are marked *

Unless otherwise indicated, the content and opinions expressed on this web site are those of the author(s). They are not endorsed by and do not necessarily reflect the views of the George Washington University.
Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.