How to Install Splunk on RHEL 9 and CentOS 9: A Step-by-Step Guide
Splunk is a powerful platform for searching, monitoring, and analyzing machine-generated data. From security information and event management (SIEM) to operational intelligence, Splunk provides critical insights into your IT infrastructure. If you’re running Red Hat Enterprise Linux (RHEL) 9 or CentOS Stream 9, deploying Splunk is a straightforward process that can unlock immense value.
This guide provides a clear, step-by-step walkthrough for installing Splunk Enterprise on your RHEL 9 or CentOS 9 system. We will cover everything from initial download to starting the service and accessing the web interface for the first time.
Prerequisites: Preparing Your System for Splunk
Before beginning the installation, it’s crucial to ensure your server is properly prepared. A few moments of preparation can prevent common issues down the line.
- A running instance of RHEL 9 or CentOS 9.
- Sudo or root access to execute administrative commands.
- An active internet connection to download the Splunk software package.
- Minimum system requirements: While Splunk can run on modest hardware for testing, a production environment typically requires at least a 2-core CPU, 12 GB of RAM, and sufficient disk space for your data.
Step 1: Download the Splunk Enterprise RPM Package
The first step is to obtain the correct installation package from the Splunk website. Splunk provides an RPM package specifically for Red Hat-based systems, which makes the installation process clean and simple.
- Navigate to the Splunk Enterprise Download Page.
- You will need to create a free Splunk account if you don’t already have one.
- Select the Linux tab and choose the .RPM package.
- You can either download the file directly through your browser or, for server environments, copy the download link provided by the
wgetcommand.
Using the command line is often more efficient. Right-click the download button and copy the link address. Then, use wget in your server’s terminal to download the file directly.
wget -O splunk-enterprise.rpm 'COPIED_DOWNLOAD_LINK'
Replace COPIED_DOWNLOAD_LINK with the actual URL you copied from the website.
Step 2: Install Splunk Using the RPM Package
With the RPM file downloaded, you can now install it using the dnf package manager (the successor to yum). This command will install Splunk Enterprise into the /opt/splunk directory by default.
Open your terminal and navigate to the directory where you downloaded the RPM file. Then, run the following command:
sudo dnf install ./splunk-enterprise-*.rpm
The system will prompt you to confirm the installation. Type y and press Enter to proceed. The package manager will handle all the necessary file placements and initial setup.
Step 3: Start and Enable the Splunk Service
After the installation is complete, the Splunk service is ready to be started. The first time you start Splunk, you must accept the license agreement.
To start the service and automatically accept the license, use the following command:
sudo /opt/splunk/bin/splunk start --accept-license
You will be prompted to create an administrator username and password. Choose a strong, unique password and store it securely, as this will be your primary administrative login for the Splunk web interface.
For production environments, you’ll want Splunk to start automatically whenever the server reboots. To enable this behavior, run the boot-start command:
sudo /opt/splunk/bin/splunk enable boot-start -user splunk
This command configures systemd to manage the Splunk service. Using the -user splunk flag is a best practice for security, ensuring the service runs under its own unprivileged user account rather than as root.
Step 4: Configure Your Firewall to Access the Web UI
By default, Splunk’s web interface runs on port 8000. On RHEL 9 and CentOS 9, the system firewall will likely block this port. You must create a rule to allow incoming traffic on this port to access the interface from your network.
Use the firewall-cmd utility to permanently open port 8000:
sudo firewall-cmd --add-port=8000/tcp --permanent
After adding the rule, you must reload the firewall for the changes to take effect:
sudo firewall-cmd --reload
This is a critical step; without it, you will not be able to reach the Splunk login page.
Step 5: Log In and Get Started
You have now successfully installed and configured Splunk Enterprise. To access the web interface, open a browser and navigate to your server’s IP address on port 8000:
http://<your_server_ip>:8000
You will be greeted by the Splunk login page. Enter the administrator username and password you created during the initial start-up process.
Congratulations! You are now ready to start adding data sources, installing apps from Splunkbase, and building powerful dashboards to analyze your data.
Basic Splunk Service Management
To manage the Splunk service, you can use the same executable located in /opt/splunk/bin/. Here are a few essential commands:
- Check the status of the service:
bash
sudo /opt/splunk/bin/splunk status
- Stop the service:
bash
sudo /opt/splunk/bin/splunk stop
- Restart the service:
bash
sudo /opt/splunk/bin/splunk restart
Following these steps ensures a clean, secure, and robust Splunk installation on your RHEL 9 or CentOS 9 system, setting a solid foundation for your data analysis and monitoring needs.
Source: https://infotechys.com/install-splunk-on-rhel-9-or-centos-9/
