Download needed package from official site and install it:
rpm -i --prefix=/opt/splunk splunk-6.1.3-220630-linux-2.6-x86_64.rpm
Add splunk executable to path:
# export SPLUNK_HOME=/opt/splunk/splunk # export PATH=$SPLUNK_HOME/bin:$PATH
Acknowledge with licenses issue and after a couple of seconds installation will be finished.
Point your browser to http://localhost:8000 for Splunk web access.
Follow to machine which logs you want to collect and install splunk-forwarder there:
rpm -i --prefix=/opt/splunk-forwarder splunkforwarder-6.1.3-220630-linux-2.6-x86_64.rpm
Add forwarder to PATH:
export SPLUNK_HOME=/opt/splunk-forwarder/splunkforwarder export PATH=$SPLUNK_HOME/bin:$PATH
Add init scripts for auto boot:
splunk enable boot-start
Configure the Splunk Index Server to receive data:
splunk enable listen 9997
Add index server to listen server list on forwarder:
splunk add forward-server index_fqdn:9997 # where index_fqdn is the fully qualified address or IP of the index server
Perform next command for associate forwarder with needed log file:
splunk add monitor /var/log/messages -index main -sourcetype syslog
It will create /opt/splunk-forwarder/splunkforwarder/etc/apps/search/local/inputs.conf file:
[monitor:///var/log/messages] disabled = false index = main sourcetype = syslog
Let's add data to index server. In other words, we should say index server that we want collect logs from our forwarder:
splunk add udp 9997 -sourcetype _json
After that you can follow web UI => search and obtain your messages:
That's it for now).