Skip to content

Instantly share code, notes, and snippets.

@SamEureka

SamEureka/splunk-nginx.md

Last active October 30, 2019 17:26
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save SamEureka/9930455131b7548a1adfa3fcf8bf9b21 to your computer and use it in GitHub Desktop.
Save SamEureka/9930455131b7548a1adfa3fcf8bf9b21 to your computer and use it in GitHub Desktop.
Download ZIP
Splunk w/ NGINX SSL Reverse Proxy
Raw
splunk-nginx.md

Installing Splunk w/NGINX SSL Reverse Proxy

The steps outlined here make many assumptions about both your operating environment and your understanding of the Linux OS and services running on Linux. I am using the current LTS Ubuntu distribution 16.04 running in the cloud on a DigitalOcean Droplet. These steps should work just fine if followed closely and in order... but you know sh!& never works out the way you plan in Linux. I offer some troubleshooting advice, Google and Stack are your friends ask them for help.

  1. SSH into your pre-configured server running NGINX SSL Reverse Proxy ssh <username>@<server-url-or-IP> **See guide here

  2. Download Splunk Enterprise using WGET wget -O splunk-6.5.1-f74036626f0c-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.1&product=splunk&filename=splunk-6.5.1-f74036626f0c-linux-2.6-amd64.deb&wget=true' Note: you might need to sign up and fill out stuff to get this download URL to work. I didn't... but your milage may vary.

  3. Install Splunk using dpkg sudo dpkg -i splunk-6.5.1-f74036626f0c-linux-2.6-amd64.deb Note: versions change... make sure you are using the most current. This listed files are just an example

  4. Start Splunk sudo /opt/splunk/bin/./splunk start --accept-license

  5. Edit/create web.conf file sudo pico /opt/splunk/etc/system/local/web.conf

[settings]
root_endpoint = /splunk
tools.proxy.on = false
enableSplunkWebSSL = true
privKeyPath = /etc/letsencrypt/live/<server-url>/privkey.pem
serverCert = /etc/letsencrypt/live/<server-url>/fullchain.pem
  1. Restart Splunkweb sudo /opt/splunk/bin/./splunk restart splunkweb
  2. Create a backup of your NGINX site config file sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.ssl-test.backup
  3. Edit your NGINX site config file sudo pico /etc/nginx/sites-available/default
# Port 80 http redirect
server {
  listen 80 default_server;
  server_name <server-url>;
  return 301 https://$server_name$request_uri;
}
# Port 443 https config
server {
  listen 443 ssl http2 default_server;
  server_name <server-url>;
  large_client_header_buffers 6 16k;
  client_max_body_size 4M;
  include snippets/ssl-<server-url>.conf;
  include snippets/ssl-params.conf;
  location / {
             proxy_pass_request_headers on;
             proxy_set_header x-real-IP $remote_addr;
             proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
             proxy_set_header host $host;
             proxy_pass https://<server-url>:8000/;
         }
}

  1. Save your changes then test your config with sudo nginx -t

  2. If your changes are passing, sudo systemctl restart nginx

  3. Boom... it works! Right?

@SamEureka
Copy link
Author

Spunk light download URL

wget -O splunklight-6.5.2-67571ef4b87d-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.2&product=splunk_light&filename=splunklight-6.5.2-67571ef4b87d-linux-2.6-amd64.deb&wget=true'

@SamEureka
Copy link
Author

SamEureka commented Mar 29, 2017
edited

Splunk Enterprise 6.5.2 download URL

wget -O splunk-6.5.2-67571ef4b87d-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.2&product=splunk&filename=splunk-6.5.2-67571ef4b87d-linux-2.6-amd64.deb&wget=true'

@SamEureka
Copy link
Author

Universal Forwarder download URL

wget -O splunkforwarder-6.5.2-67571ef4b87d-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-linux-2.6-amd64.deb&wget=true'

@SamEureka
Copy link
Author

splunk.sameureka.com

splunk-fwd.sameureka.com

...because I'm tired of typing

@SamEureka
Copy link
Author

SamEureka commented Mar 29, 2017
edited

client_max_body_size 25M;

added to the NGINX server config so we can upload big files in Splunk through the web interface. Mod as needed for size.

@SamEureka
Copy link
Author

sudo tar -cvzf splunk-$(date +"%FT%H%M").tgz /opt/splunk

-- to make a backup prior to upgrading

@SamEureka
Copy link
Author

Splunk Enterprise 6.6.0 for Linux(deb) download URL

wget -O splunk-6.6.0-1c4f3bbe1aea-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.6.0&product=splunk&filename=splunk-6.6.0-1c4f3bbe1aea-linux-2.6-amd64.deb&wget=true'

@SamEureka
Copy link
Author

upgrading is easy... make a backup (see comment above), download the new version, and run the following,

sudo dpkg -i splunk<new_version_#>.deb

@SamEureka
Copy link
Author

Splunk Ent 6.6.1 for Linux(deb) download URL
wget -O splunk-6.6.1-aeae3fe0c5af-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.6.1&product=splunk&filename=splunk-6.6.1-aeae3fe0c5af-linux-2.6-amd64.deb&wget=true'

@SamEureka
Copy link
Author

SamEureka commented Jul 24, 2017
edited

This code added to /etc/nginx/snippets/ssl-params.conf to fix server abort error

add_header X-Frame-Options SAMEORIGIN;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment