Install and Configure Splunk Indexer

Written by Alex DiMuzio on the 27th Aug 2021

Exported on 27-Aug-2021 15:55:58

Using Attune to install and configure a Splunk Indexer

This blueprint installs and configures a Splunk Indexer. Splunk is used an a centralized log repository or SIEM
Pre-Blueprint Attune setup
  1. On the Inputs tab, create a Linux node for the host you wish to install Splunk on.
  2. On the Inputs tab, create Linux credentials to connect to the host you wish to install Splunk on.
  3. On the Inputs tab, create a basic credential that you wish to use for the Splunk admin user.
Blueprint Steps
  1. Pull down latest version of Splunk and unpack it to the default install directory
  2. Create a dedicated, limited access user for Splunk to run as**
  3. The Splunk installation prompts for credentials for an admin user. Since we are trying to automate without user interaction, we need to set the credentials up in our Attune Inputs and pass the values into a file in the Splunk directory.
  4. For security purposes, we want to enable the built-in firewall. We need to add Splunk related ports as well as SSH for remote access.
  5. The final steps ensures that the Splunk application directory has the correct permissions, and that Splunk is started with the dedicated splunk user to avoid running it as root. We also configure Splunk to start upon server boot, so that the system can be restarted without us forgetting to start Splunk back up and losing log data.

Parameters

Name Type Script Reference Default Value Comment
Host_Creds Linux OS Credential host_creds
Hostname Linux / Unix Server hostname
Splunk Admin Generic Credential splunkAdmin

1 - Download and Install latest version of Splunk

The connection details have changed from the last step.

Login as user on node

Connect via SSH 
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session 
#check if Splunk is already installed
if [ -d "/opt/splunk/bin" ]
then
    echo "Splunk is already installed"
else

#download latest version of Splunk 
wget -O splunk-latest.tgz "https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=latest&product=splunk&filename=.tgz&wget=true"

#unpack the downloaded installer .tgz to the default Splunk install directory /opt/splunk
sudo tar -xzf splunk-latest.tgz -C /opt/

#remove installer
rm -f splunk.latest.tgz

fi

2 - Create Splunk User

Login as user on node

Connect via SSH 
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session 
#add splunk user
if ( useradd splunk )
then
    echo "Successfully created splunk user"
else
    echo "User already exists"
fi


#add splunk group
if ( groupadd splunk )
then
    echo "Successfully created splunk group"
else 
    echo "Group already exists"
fi

3 - Create Splunk Admin Creds File

This step has the following parameters

Name Script Reference Default Value
Splunk Admin {splunkAdmin.password} None

Login as user on node

Connect via SSH 
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session 
#create user-seed.conf file that Splunk accepts to set admin credentials without user interaction
sudo touch /opt/splunk/etc/system/local/user-seed.conf

#pass Splunk admin credentials into file
sudo cat <<EOF > /opt/splunk/etc/system/local/user-seed.conf
[user_info]
USERNAME = admin
PASSWORD = {splunkAdmin.password}
EOF

4 - Open Firewall Ports

Login as user on node

Connect via SSH 
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session 
#allow access to Splunk UI in firewall
sudo ufw allow 8000

#allow access to receive logs on default Splunk receiving port
sudo ufw allow 9997

#allow ssh access in firewall so we don't like ourselves out
sudo ufw allow ssh

#enable the firewall
sudo ufw enable

5 - Configure Splunk

Login as user on node

Connect via SSH 
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session 
#make splunk user the owner of splunk dir
chown -R splunk:splunk /opt/splunk

#start Splunk to accept license agreement
sudo runuser -l splunk -c "/opt/splunk/bin/splunk start --accept-license --answer-yes"

#configure Splunk to start on boot
sudo /opt/splunk/bin/splunk enable boot-start