Installation Manual

Question 1

What is splunkd process

Answer 1

Process that accesses, processes and indexes streaming IT data.
It also handles search requests.
splunkd processes and indexes your data by streaming it through a series of pipelines, each made up of a series of processors.
splunkd also provides the Splunk Web user interface

Question 2

What ports are used by splunkd

Answer 2

splunkd runs a Web server on port 8089 with SSL/HTTPS turned on by default.
It also runs a Web server on port 8000 with SSL/HTTPS turned off by default

Question 3

What is splunkweb.exe?

Answer 3

splunkweb installs as a legacy service on Windows only

Prior to version 6.2, it provided the Web interface for Splunk Enterprise. Now, it installs and runs, but quits immediately

On Windows systems, splunkweb.exe is a third-party, open-source executable that Splunk renames from pythonservice.exe

Question 4

processes for Splunk Enterprise on Windows

Answer 4

Splunkd
Splunkweb
splunk.exe
splunk-admon
splunk-perfmon

splunk-netmon

splunk-regmon

splunk-winevtlog

splunk-winhostmon

splunk-winprintmon

splunk-wmi

Question 5

splunk-wmi

Answer 5

When you configure a performance monitoring, event log or other input against a remote computer, this program runs. Depending on how you configure the input, it either attempts to attach to and read Windows event logs as they come over the wire, or executes a Windows Query Language (WQL) query against the Windows Management Instrumentation (WMI) provider on the specified remote machine.

Question 6

splunk-winprintmon

Answer 6

splunk-winprintmon runs when you configure a Windows print monitoring input in Splunk. This input gets detailed information about Windows printers and print jobs on the local system

Question 7

splunk-winhostmon

Answer 7

splunk-winhostmon runs when you configure a Windows host monitoring input in Splunk. This input gets detailed information about Windows hosts.

Question 8

splunk-winevtlog

Answer 8

You can use this utility to test defined event log collections, and it outputs events as they are collected for investigation. Splunk Enterprise has a Windows event log input processor built into the engine

Question 9

splunk-regmon

Answer 9

splunk-regmon.exe runs when you configure a Registry monitoring input in Splunk. This input initially writes a baseline for the Registry in its current state (if requested), then monitors changes to the Registry over time

Question 10

splunk-netmon

Answer 10

splunk-netmon runs when you configure Splunk Enterprise to monitor Windows network information on the local machine.

Question 11

splunk-perfmon

Answer 11

splunk-perfmon.exe runs when you configure Splunk Enterprise to monitor performance data on the local Windows machine. This binary attaches to the Performance Data Helper libraries, which query the performance libraries on the system and extract performance metrics both instantaneously and over time.

Question 12

splunk-admon

Answer 12

splunk-admon.exe runs whenever you configure an Active Directory (AD) monitoring input. splunkd spawns splunk-admon, which attaches to the nearest available AD domain controller and gathers change events generated by AD. Splunk Enterprise stores these events in an index.

Question 13

splunk.exe

Answer 13

It provides the command-line interface (CLI) for the program. It lets you start, stop, and configure Splunk Enterprise, similar to the *nix splunk program.

Question 14

Splunk on NFS

Answer 14

Use block level storage rather than file level storage for indexing your data. And avoid using NFS whenever possible

If you use NFS, note the following:

Do not use NFS to host hot or warm index buckets. Splunk Enterprise on NFS is supported only with cold or frozen buckets.
Do not use NFS to share cold or frozen index buckets amongst an indexer cluster, as this potentially creates a single point of failure.
Splunk Enterprise does not support “soft” NFS mounts. These are mounts that cause a program attempting a file operation on the mount to report an error and continue in case of a failure.
Only “hard” NFS mounts, where the client continues to attempt to contact the server in case of a failure, are reliable with Splunk Enterprise.
Do not disable attribute caching. If you have other applications that require disabling or reducing attribute caching, then you must provide Splunk Enterprise with a separate mount with attribute caching enabled.
Do not use NFS mounts over a wide area network (WAN). Doing so causes performance issues and can lead to data loss.

Question 15

Splunk and CIFS/SMB

Answer 15

Splunk Enterprise supports the use of the CIFS/SMB protocol for the following purposes, on shares hosted by Windows hosts only:

Storage of cold or frozen Index buckets.
When you use a CIFS resource for storage, confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels

Question 16

Install Splunk on windows

Answer 16

Disable or limit antivirus software if able
The Splunk Enterprise indexing subsystem requires high disk throughput

Consider installing Splunk software into a directory with a short path name
it might be problematic for installations that run in distributed deployments or that employ advanced Splunk features such as search-head or indexer clustering.

Install Splunk Enterprise via the GUI installer
The Windows installer is an MSI file

Question 17

Default installation settings on windows

Answer 17

Installs Splunk Enterprise in \Program Files\Splunk on the drive that booted your Windows machine.
Installs Splunk Enterprise with the default management and Web network ports.
Configures Splunk Enterprise to run as the Local System user.
Prompts you to create a Splunk administrator password. You must do this before installation can continue.
Creates a Start Menu shortcut for the software.

Question 18

User to run Splunk services (Windows installation)

Answer 18

When the installer asks you the user that you want to install Splunk Enterprise as, you must specify the user name in domain\username format. The user must be a valid user in your security context, and must be an active member of an Active Directory domain. Splunk Enterprise must run under either the Local System account or a valid user account with a valid password and local administrator privileges

To do any of the following actions with Splunk Enterprise, you must install it as a domain user:

Read Event Logs remotely
Collect performance counters remotely
Read network shares for log files
Access the Active Directory schema using Active Directory monitoring

Question 19

Install Splunk on Linux

Answer 19

Splunk Enterprise does not create the splunk user. If you want Splunk Enterprise to run as a specific user, you must create the user manually before you install.

Installation procedure

Expand the tar file into an appropriate directory using the tar command:
tar xvzf splunk_package_name.tgz

The default installation directory is splunk in the current working directory. To install into /opt/splunk, use the following command:
tar xvzf splunk_package_name.tgz -C /opt

Question 20

System hardening before Splunk installation best practices

Answer 20

Limit shell access
Limit cli access

Question 21

View installer hash

Answer 21

cat splunk-x.x.x-xxxxxxxxxxxx-Linux-x86-64.tgz.md5

Question 22

Run the md5 tool against the installer package.

Answer 22

md5 splunk-x.x.x-xxxxxxxxxxxx-Linux-x86-64.tgz