Follow

Installation of Splunk on Endian UTM Appliance

Applies to Platform: UTM 2.5, UTM 3.0.X
Updated on: 2nd of November 2012

This lesson guides you in the installation, on an Endian UTM Appliance, of Splunk, an application that indexes data (especially log files) and helps in their visualisation and analysis.

Due to the resources required to generate graphs and indexes, it is suggested to not install Splunk on a mini ARM.

Requirements

In order to install splunk, make sure you have:

  • A workstation to access the Splunk home page, register, and download the package.
  • Access to the console of your Endian UTM Appliance (either via serial console or SSH)
  • A software to copy the downloaded package to your Endian UTM Appliance
  • Acquaintance with the use of the Linux shell

Installation and First Start

To download Splunk, it is necessary to go to the Splunk website: From here, select the package splunk-4.3.4-136012.i386.rpm. If you do not yet have an account, you will be asked to create one, otherwise you can proceed to login and download the package.

Once the download has finished, copy the RPM file to your Endian UTM Appliance, then log in to the CLI.

Note

We will use the following conventions: /var/opt/ is the Splunk's installation directory and 1004:1004 are splunk's UID and GID, respectively.

To install Splunk go to the directory where you saved the rpm file and issue the following command:

root@endian:~# rpm -i --prefix=/var/opt/ splunk-4.3.4-136012.i386.rpm

After the installation, make a copy of the file /etc/passwd, then modify the file as follows. Find the lines starting with nobody and splunk (they may not be one after the other):

nobody:x:99:99:Nobody:/home/nobody:/bin/false
splunk:x:1004:1004:Splunk Server:/var/opt/splunk:/bin/sh

Change them as follows:

nobody:x:99:99:Nobody:/home/nobody:/bin/sh
splunk:x:1004:1004:Splunk Server:/var/opt/splunk:/bin/false

Warning

The UIDs and GIDs appearing here (99, 1004) may be different from those actually present in your system. Do not change them!

Now give the the nobody user ownership to the whole Splunk's installation directory :

root@endian:~# chown -R nobody: /var/opt/splunk

Create a init script fir Splunk, so it can start automatically at boot:

root@endian:~# /var/opt/splunk/bin/splunk enable boot-start -user nobody

To allow splunk's start at boot, edit the file start.local is in directory /var/efw/inithooks:

root@endian:~# nano /var/efw/inithooks/start.local

If the file does not exist, it will be created. Make sure that the files containes as first line:

#!/bin/sh

and add at the end the following line:

/etc/init.d/splunk start

 Make sure that the file has execution permissions:

root@endian:~# chmod 755 /var/efw/inithooks/start.local

You are now done with the cooking! Verify that Splunk is correctly working by issuing the start command:

root@endian:~# /etc/init.d/splunk start

Troubleshooting

There are basically two possible sources of problem during the startup of Splunk.

  1. "Permission denied" errors may be solved by issuing again the command
    root@endian:~# chown -R nobody: /var/opt/splunk/
  2. The problem is that Splunk can not be launched, since the default port (8000) is closed or used by some application. On the Endian UTM Appliances, port 8000 is normally not used. The cause of problem in this case may be found either in another service using the port 8000 or in the firewall blocking access to that port. In the first case, check if port 8000 is in use, issue the following command:
    root@endian:~# netstat -pant | grep 8000
    If you receive an output containing the string 0.0.0.0:8000, the port is occupied and you need to select another port for splunk.  Edit the file /var/opt/splunk/etc/system/default/web.conf, find the httpport option and modify the value 8000, by choosing a port that is not in use by any other service, then restart splunk:
    root@endian:~# /etc/init.d/splunk restart
    If you still receive no output, then probably the firewall disallows the access to port 8000. You need to create a firewall rule that allows port 8000 to be accessed, from Menubar > Firewall > Sistem access.
Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Davuthan YAMAN

    not work latest version of splunk 6.1.1 

    and --relocate option needed

    error: Failed dependencies:

    libcom_err.so.2()(64bit) is needed by splunk-6.1.1-207789.x86_64

    libc.so.6()(64bit) is needed by splunk-6.1.1-207789.x86_64

    libc.so.6(GLIBC_2.2.5)(64bit) is needed by splunk-6.1.1-207789.x86_64

    libc.so.6(GLIBC_2.3.2)(64bit) is needed by splunk-6.1.1-207789.x86_64

    libc.so.6(GLIBC_2.3.3)(64bit) is needed by splunk-6.1.1-207789.x86_64

    libc.so.6(GLIBC_2.3.4)(64bit) is needed by splunk-6.1.1-207789.x86_64

    libc.so.6(GLIBC_2.3)(64bit) is needed by splunk-6.1.1-207789.x86_64

    libdl.so.2()(64bit) is needed by splunk-6.1.1-207789.x86_64

    libdl.so.2(GLIBC_2.2.5)(64bit) is needed by splunk-6.1.1-207789.x86_64

    libgssapi_krb5.so.2()(64bit) is needed by splunk-6.1.1-207789.x86_64

    libk5crypto.so.3()(64bit) is needed by splunk-6.1.1-207789.x86_64

    libkrb5.so.3()(64bit) is needed by splunk-6.1.1-207789.x86_64

    libm.so.6()(64bit) is needed by splunk-6.1.1-207789.x86_64

    libm.so.6(GLIBC_2.2.5)(64bit) is needed by splunk-6.1.1-207789.x86_64

    libpthread.so.0()(64bit) is needed by splunk-6.1.1-207789.x86_64

    libpthread.so.0(GLIBC_2.2.5)(64bit) is needed by splunk-6.1.1-207789.x86 _64

    libpthread.so.0(GLIBC_2.3.2)(64bit) is needed by splunk-6.1.1-207789.x86 _64

    libresolv.so.2()(64bit) is needed by splunk-6.1.1-207789.x86_64

    librt.so.1()(64bit) is needed by splunk-6.1.1-207789.x86_64

    librt.so.1(GLIBC_2.2.5)(64bit) is needed by splunk-6.1.1-207789.x86_64

    libutil.so.1()(64bit) is needed by splunk-6.1.1-207789.x86_64

    libutil.so.1(GLIBC_2.2.5)(64bit) is needed by splunk-6.1.1-207789.x86_64

  • Avatar
    Endian Support Team

    Hi, apparently you're trying to install splunk 64bit, which is the wrong architecture.