SPL 100: Installing Splunk on Red Hat Linux (15 pts)

Purpose

To prepare a Red Hat Linux server on the Google cloud, and install Splunk Enterprise. It's important not to use other Linux versions, like Debian, because later we'll add Splunk SOAR which is not supported on them.

What You Need

Local Installation

If you don't want to use Google Cloud, you can install Red Hat Linux locally instead as explained in this project:

SPL 110: Local Installation of Red Hat Linux (10 pts)

Using Google Cloud

If you are already using Google Cloud, skip ahead to "Creating a Red Hat Server". If not, do this project first:
H 201: Google Cloud Linux Server

Creating a Red Hat Server

Create a cloud machine with 4 vCPU and 16 GB RAM, as shown below. Give it a descriptive name, such as redhat8.

Choose a Boot Disk of "Red Hat Enterprise Linux 8" and Adjust the disk size to 100 GB, as shown below.

Accept the default settings for the other options.

Opening an SSH Window

In the Google Cloud Console, on the "VM instances" page, on the line for your Red Hat server, on the right side, click SSH, as shown below.

A message appears, saying "Transferring SSH keys to the VM". After a few seconds, it asks for you to authorize the connection.

Click Authorize. An SSH window opens.

Creating a "splunk" User

Execute the commands below to create a user account named "splunk", as shown below. 
sudo adduser splunk
sudo passwd splunk
Enter a password twice, such as R@bbit!!

Installing Splunk

Now execute these commands to install Splunk, as shown below. The third command takes about 30 seconds to complete. 
sudo yum install wget -y

wget https://download.splunk.com/products/splunk/releases/9.1.1/linux/splunk-9.1.1-64e843ea36b1.x86_64.rpm

sudo rpm -i splunk-*.rpm
ls -l /opt/ | grep splunk
Notice that installation created the /opt/splunk directory and assigned "splunk" as its owner, as shown below.

Now execute this command to switch to the "splunk" user: 

su - splunk
Enter the password you chose, such as R@bbit!!

Execute this command: 

/opt/splunk/bin/splunk start --accept-license
Enter an administrator username of admin

Enter a password twice, such as R@bbit!!

You should see a message showing that the Splunk web interface is available on port 8000, as shown below.

Next we need to stop Splunk, configure it to start automatically, and start it again.

Execute these commands, as shown below. 

/opt/splunk/bin/splunk stop
exit
sudo /opt/splunk/bin/splunk enable boot-start -systemd-managed 1

sudo reboot

After a few seconds, reconnect to the server and execute this command: 

sudo ss -plnt
You see a "splunkd" process listening on port 8000, as shown below.

To see the running processes, execute this command: 

ps aux | grep splunk
You see that all splunk processes are running under the "splunk" account, not as root, as shown below.

Opening Port 8000 in the Google Cloud Firewall

In Google Cloud Console, at the top left, click the three-bar icon.

On the left side, point to "VPC network" and click Firewall, as shown below.

At the top center of the next page, click "CREATE FIREWALL RULE".

Enter these fields, as shown below:

Leave all other values at their defaults. At the botton, click the blue CREATE button.

Finding your Public IP Address

In the Google Cloud console, on the left side, point to "Compute Engine" and click "VM instances".

Find the External IP of your Red Hat server, outlined in yellow in the image below.

Viewing the Splunk Web Page

Open a Web browser and enter a URL like this, replacing the IP address with the IP of your Red Hat server:
http://34.16.118.140:8000
The Splunk Web login page opens, as shown below.

Log in with a username of admin and the password you selected during installation, which might be R@bbit!!

A box pops up saying "Helping You Get More Value...". Click "Got It!".

The Splunk Web page appears, as shown below.

SPL 100.1: Splunk Web Home Page

The flag is covered by a green box in the image below.

Configuring a Fixed IP Address

The default networking changes the external IP address every time you start your cloud server, which is annoying.

To fix that, in the Google Cloud console, at the top left, click the three-nar icon.

Point to "VPC network" and click "IP Addresses".

At the top center, click "RESERVE EXTERNAL STATIC IP ADDRESS".

Configure a static IP attached to your Red Hat server, as shown below.

At the bottom, click the RESERVE button.

Sources

How To Install Splunk on Linux: A Step To Step Guide

How to install Splunk Enterprise as non-root user RHEL 9?

Splunk Documentation

Posted 9-7-23
Link to Red Hat license added 9-10-23
Static IP instructions added 9-24-23
Link to local installation project added 9-25-23