Applies to Platform: UTM 2.5, UTM 3.0.X
Updated on: 2nd of November 2012
This lesson guides you in the installation, on an Endian UTM Appliance, of Splunk, an application that indexes data (especially log files) and helps in their visualisation and analysis.
Due to the resources required to generate graphs and indexes, it is suggested to not install Splunk on a mini ARM.
In order to install splunk, make sure you have:
- A workstation to access the Splunk home page, register, and download the package.
- Access to the console of your Endian UTM Appliance (either via serial console or SSH)
- A software to copy the downloaded package to your Endian UTM Appliance
- Acquaintance with the use of the Linux shell
Installation and First Start
To download Splunk, it is necessary to go to the Splunk website: From here, select the package splunk-4.3.4-136012.i386.rpm. If you do not yet have an account, you will be asked to create one, otherwise you can proceed to login and download the package.
Once the download has finished, copy the RPM file to your Endian UTM Appliance, then log in to the CLI.
To install Splunk go to the directory where you saved the rpm file and issue the following command:
root@endian:~# rpm -i --prefix=/var/opt/ splunk-4.3.4-136012.i386.rpm
After the installation, make a copy of the file /etc/passwd, then modify the file as follows. Find the lines starting with nobody and splunk (they may not be one after the other):
Change them as follows:
Now give the the nobody user ownership to the whole Splunk's installation directory :
root@endian:~# chown -R nobody: /var/opt/splunk
Create a init script fir Splunk, so it can start automatically at boot:
root@endian:~# /var/opt/splunk/bin/splunk enable boot-start -user nobody
To allow splunk's start at boot, edit the file start.local is in directory /var/efw/inithooks:
root@endian:~# nano /var/efw/inithooks/start.local
If the file does not exist, it will be created. Make sure that the files containes as first line:
and add at the end the following line:
Make sure that the file has execution permissions:
root@endian:~# chmod 755 /var/efw/inithooks/start.local
You are now done with the cooking! Verify that Splunk is correctly working by issuing the start command:
root@endian:~# /etc/init.d/splunk start
There are basically two possible sources of problem during the startup of Splunk.
- "Permission denied" errors may be solved by issuing again the command
root@endian:~# chown -R nobody: /var/opt/splunk/
- The problem is that Splunk can not be launched, since the default port (8000) is closed or used by some application. On the Endian UTM Appliances, port 8000 is normally not used. The cause of problem in this case may be found either in another service using the port 8000 or in the firewall blocking access to that port. In the first case, check if port 8000 is in use, issue the following command:
root@endian:~# netstat -pant | grep 8000If you receive an output containing the string 0.0.0.0:8000, the port is occupied and you need to select another port for splunk. Edit the file /var/opt/splunk/etc/system/default/web.conf, find the httpport option and modify the value 8000, by choosing a port that is not in use by any other service, then restart splunk:
root@endian:~# /etc/init.d/splunk restartIf you still receive no output, then probably the firewall disallows the access to port 8000. You need to create a firewall rule that allows port 8000 to be accessed, from Menubar > Firewall > Sistem access.