This document outlines a set of instructions that were performed on a Red Hat Linux system. These instructions are applicable to any system that uses the RPM style package management system.
Splunk Doc:
Create the Splunk user & group
The splunk process should not run as root, so please create a non privileged splunk user. The following command will create a user and group of the same name (cf. https://linux.die.net/man/8/useradd).
-
useradd -m splunk
Install the Splunk Universal Forwarder and start the process
-
mkdir /opt/splunkforwarder
-
rpm -i /tmp/splunkforwarder-9.2.1-78803f08aabb.x86_64.rpm
-
/opt/splunkforwarder/bin/splunk start --accept-license
Make sure the ownership of the splunk directory and everything under it is set to the splunk user and group. If not run this command:
chown -R splunk:splunk /opt/splunkforwarder
Enable the Universal Forwarder to start on boot
/opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 0
Configuring the Deployment Server:
/opt/splunkforwarder/bin/splunk set deploy-poll deployment.splunk.uic.edu:8089
Restart the Universal Forwarder & it should begin connecting to the deployment server shortly after the restart is complete
/opt/splunkforwarder/bin/splunk restart
Verify service is running as splunk user:
Configure Firewall Rules
Make sure firewall allows traffic to 8089/tcp on splunk-deployment.server.uic.edu (131.193.68.94) and inputs1.illinoischicago.splunkcloud.com:9997, .. inputs15.illinoischicago.splunkcloud.com:9997