Friday, August 29, 2008

Splunk on Ubuntu 8.04

I've been using Splunk at work, so I decided to try installing the free version on a personal laptop. Splunk is a log archiving and search product which I recommend security professionals try. Once you've used it you will probably think of other ways to leverage its power. Anyone can use a free version that indexes up to 500 MB per day, so it's perfect for a personal laptop's logs. This machine runs Ubuntu 8.04.

By default Splunk installs into /opt. Unfortunately when I built this system, I didn't create a /opt partition, and / is too small. So, I decided to create a symlink in /var/opt and accept the rest of the defaults when installing Splunk.
 
root@neely:/usr/local/src# ls -d /opt
/opt
root@neely:/usr/local/src# rmdir /opt
root@neely:/usr/local/src# ln -s /var/opt /opt

Next I installed the .deb that Splunk provides. I've also used the .rpm on Red Hat Enterprise Linux.

root@neely:/usr/local/src# dpkg -i splunk-3.3.1-39933-linux-2.6-intel.deb
Selecting previously deselected package splunk.
(Reading database ... 142815 files and directories currently installed.)
Unpacking splunk (from splunk-3.3.1-39933-linux-2.6-intel.deb) ...
Setting up splunk (3.3.1-39933) ...
----------------------------------------------------------------------
Splunk has been installed in:
/opt/splunk

To start Splunk, run the command:
/opt/splunk/bin/splunk start

To use the Splunk Web interface, point your browser at:
http://neely:8000

Complete documentation is at http://www.splunk.com/r/docs
----------------------------------------------------------------------

That was easy. Next I start Splunk.

root@neely:/usr/local/src# /opt/splunk/bin/splunk start

Splunk Free Software License Agreement
THIS SPLUNK SOFTWARE LICENSE AGREEMENT (THE "AGREEMENT") GOVERNS ALL SOFTWARE PR
...edited...
ditions of this Agreement will remain in full force and effect.
Do you agree with this license? [y/n]: y
Copying '/var/opt/splunk/etc/myinstall/splunkd.xml.default'
to '/var/opt/splunk/etc/myinstall/splunkd.xml'.
Copying '/var/opt/splunk/etc/modules/distributedSearch/config.xml.default'
to '/var/opt/splunk/etc/modules/distributedSearch/config.xml'.
/var/opt/splunk/etc/auth/audit/private.pem
/var/opt/splunk/etc/auth/audit/public.pem
/var/opt/splunk/etc/auth/audit/private.pem generated.
/var/opt/splunk/etc/auth/audit/public.pem generated.

/var/opt/splunk/etc/auth/audit/private.pem
/var/opt/splunk/etc/auth/audit/public.pem
/var/opt/splunk/etc/auth/audit/private.pem generated.
/var/opt/splunk/etc/auth/audit/public.pem generated.


This appears to be your first time running this version of Splunk.
Validating databases...
Creating /var/opt/splunk/var/lib/splunk/audit/thaweddb
Creating /var/opt/splunk/var/lib/splunk/blockSignature/thaweddb
Creating /var/opt/splunk/var/lib/splunk/_internaldb/thaweddb
Creating /var/opt/splunk/var/lib/splunk/fishbucket/thaweddb
Creating /var/opt/splunk/var/lib/splunk/historydb/thaweddb
Creating /var/opt/splunk/var/lib/splunk/defaultdb/thaweddb
Creating /var/opt/splunk/var/lib/splunk/sampledata/thaweddb
Creating /var/opt/splunk/var/lib/splunk/splunkloggerdb/thaweddb
Creating /var/opt/splunk/var/lib/splunk/summarydb/thaweddb
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main,
sampledata, splunklogger, summary

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Verifying configuration. This may take a while...
Finished verifying configuration.
Checking index directory...
Verifying databases...
Verified databases: _audit, _blocksignature, _internal, _thefishbucket, history, main,
sampledata, splunklogger, summary

Checking index files
All index checks passed.
All preliminary checks passed.
Starting splunkd...
Starting splunkweb.../var/opt/splunk/share/splunk/certs does not exist. Will create
Generating certs for splunkweb server
Generating a 1024 bit RSA private key
.......++++++
...............................++++++
writing new private key to 'privkeySecure.pem'
-----
Signature ok
subject=/CN=neely/O=SplunkUser
Getting CA Private Key
writing RSA key

Splunk Server started.

The Splunk web interface is at http://neely:8000
If you get stuck, we're here to help. Feel free to email us at 'support@splunk.com'.

Now I point Firefox to port 8000 on the local machine.



Cool. I need to tell Splunk to log something, so I select Index Files and point it to /var/log.



Returning to the main screen, within seconds Splunk has indexed the measly 8 MB or so of logs I have in /var/log.



Now I'm ready to start searching. For fun I start typing 'samba' in the search box, and decide to look at 'sambashare' as Splunk shows me what's been indexed.



That's it. The big caveat here is that you need to protect the Web and administration ports (8000 and 8089 TCP) yourself -- the free Splunk doesn't even have authentication. There are several tutorials on the Web about that, mainly about firewalling those ports and then using a Web proxy or similar to access the ports locally.

6 comments:

Dustin said...

Hey Richard,

With regards to you using Splunk at work, did you/your co. compare it to any of the SIEM/SIM solutions out there? If so, can you highlight just a couple of the reasons you took this path?

TIA

Dog Lover said...

indexing files on a laptop? seems like slocate and grep work fine for that. why bother with opening a network listener for local searches?

@dustin

splunk is no siem. it competes with grep, spotlight, beagle, google desktop, etc.

Anonymous said...
This comment has been removed by a blog administrator.
Richard Bejtlich said...

Dog Lover,

I'm glad Splunk isn't a SIM. If it were it would be worthless.

dghnfgj said...
This comment has been removed by a blog administrator.
IRGeek said...

Recognize that this is an older post, however I hound it 2 b very helpful. Thx Richard!