Installation of Splunk on Endian UTM Appliance

Applies to Platform: UTM 2.5, UTM 3.0.X
Updated on: 2nd of November 2012

This lesson guides you in the installation, on an Endian UTM Appliance, of Splunk, an application that indexes data (especially log files) and helps in their visualisation and analysis.

Due to the resources required to generate graphs and indexes, it is suggested to not install Splunk on a mini ARM.


In order to install splunk, make sure you have:

  • A workstation to access the Splunk home page, register, and download the package.
  • Access to the console of your Endian UTM Appliance (either via serial console or SSH)
  • A software to copy the downloaded package to your Endian UTM Appliance
  • Acquaintance with the use of the Linux shell

Installation and First Start

To download Splunk, it is necessary to go to the Splunk website: From here, select the package splunk-4.3.4-136012.i386.rpm. If you do not yet have an account, you will be asked to create one, otherwise you can proceed to login and download the package.

Once the download has finished, copy the RPM file to your Endian UTM Appliance, then log in to the CLI.


We will use the following conventions: /var/opt/ is the Splunk's installation directory and 1004:1004 are splunk's UID and GID, respectively.

To install Splunk go to the directory where you saved the rpm file and issue the following command:

root@endian:~# rpm -i --prefix=/var/opt/ splunk-4.3.4-136012.i386.rpm

After the installation, make a copy of the file /etc/passwd, then modify the file as follows. Find the lines starting with nobody and splunk (they may not be one after the other):

splunk:x:1004:1004:Splunk Server:/var/opt/splunk:/bin/sh

Change them as follows:

splunk:x:1004:1004:Splunk Server:/var/opt/splunk:/bin/false


The UIDs and GIDs appearing here (99, 1004) may be different from those actually present in your system. Do not change them!

Now give the the nobody user ownership to the whole Splunk's installation directory :

root@endian:~# chown -R nobody: /var/opt/splunk

Create a init script fir Splunk, so it can start automatically at boot:

root@endian:~# /var/opt/splunk/bin/splunk enable boot-start -user nobody

To allow splunk's start at boot, edit the file start.local is in directory /var/efw/inithooks:

root@endian:~# nano /var/efw/inithooks/start.local

If the file does not exist, it will be created. Make sure that the files containes as first line:


and add at the end the following line:

/etc/init.d/splunk start

 Make sure that the file has execution permissions:

root@endian:~# chmod 755 /var/efw/inithooks/start.local

You are now done with the cooking! Verify that Splunk is correctly working by issuing the start command:

root@endian:~# /etc/init.d/splunk start


There are basically two possible sources of problem during the startup of Splunk.

  1. "Permission denied" errors may be solved by issuing again the command
    root@endian:~# chown -R nobody: /var/opt/splunk/
  2. The problem is that Splunk can not be launched, since the default port (8000) is closed or used by some application. On the Endian UTM Appliances, port 8000 is normally not used. The cause of problem in this case may be found either in another service using the port 8000 or in the firewall blocking access to that port. In the first case, check if port 8000 is in use, issue the following command:
    root@endian:~# netstat -pant | grep 8000
    If you receive an output containing the string, the port is occupied and you need to select another port for splunk.  Edit the file /var/opt/splunk/etc/system/default/web.conf, find the httpport option and modify the value 8000, by choosing a port that is not in use by any other service, then restart splunk:
    root@endian:~# /etc/init.d/splunk restart
    If you still receive no output, then probably the firewall disallows the access to port 8000. You need to create a firewall rule that allows port 8000 to be accessed, from Menubar > Firewall > Sistem access.
Altre domande? Invia una richiesta