Harry Agyeman – Keep learning J

Deploying Splunk Enterprise on AWS Instance

Setting Up EC2 Instance

Virtual machines on AWS EC2, also called instances, have many advantages. A few of the advantages include being highly scalable (one can choose instances with more RAM, CPU etc), you can start and stop (outside the free tier, customers pay for what they use), and the platform allow for the selection of different operating systems.

1. On the Amazon Web Services website (https://aws.amazon.com/) click on "Sign In to the Console". Sign in if you have account. If you don't, you will need to make one. Once you sign in click on EC2 from the EC2 Dashboard and click on Launch of the EC2 console.

2. Then Click the “Select” button of the Amazon Linux AMI, your preferred machine image.

Harry Agyeman – Keep learning J

3. Choose the General purpose “free tier eligible”.

4. Click on the “Configure Security Group” tab and allow port 22 for SSH connection, port 8000 for the Splunk Web connection, port 8089 for Splunk operation management, and port 9997 for receiving data.

Harry Agyeman – Keep learning J As shown below, here is the running instance:

5. SSH into your created instance using PuTTY (If you are on Windows). SSH logins are typically done through public key authentication, which requires users to have their private key on hand.

Harry Agyeman – Keep learning J

6. Login as a root user:

Installing Splunk Enterprise on the Instance

7. First check your instance architecture with the command uname -a to ensure it is 64-bit

8. Install the Splunk Enterprise, which can be found here https://www.splunk.com/en_us/download/splunk-enterprise.html#tabs/linux

Note: For the Linux installation, there are the .rpm, .tgz and .deb packages. Install the .tgz version because it is easy and efficient to maintain with Splunk installation.

Harry Agyeman – Keep learning J Get the URL to install in your instance:

9. Before you install check the mount point with the df -h command to have an idea of the size of your mount point. In my case I have about 9GB available space to install Splunk Enterprise.

Harry Agyeman – Keep learning J

10. Navigate to the /opt directory which is reserved for all the software and add-on packages that are not part of the default Linux installation.

Harry Agyeman – Keep learning J

11. Then install wget utility with the yum install wget command. This utility will be used to install Splunk Enterprise on the Instance.

Copy the Splunk package from the URL to download in your /opt directory:

Harry Agyeman – Keep learning J

As shown from the screenshot below, we have the compressed Splunk enterprise installed in the /opt directory:

12. Unzip and extract the package with the command tar -zxvf <package-name> and check to confirm the extracted package:

13. Navigate to the /bin directory to start the Splunk.

Harry Agyeman – Keep learning J Note: before you start check to make sure ports 8000 and 8089 are not in use the net stat command

14. Start and accept the Splunk license with the command ./splunk start –accept-license

15. Open the UI interface by getting your instance IP address and pasting into url search bar with the port 8000. In my case its 52.42.20.109:800

Harry Agyeman – Keep learning J

16. The default username is admin and password is changeme. Once you log in it will prompt you to change your password.