Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Install Splunk Enterprise 6.2 on CentOS 7 Minimal as a non-root user systemd service and enable syslog on port 514 and http on port 80
# Install Splunk 6.2 on CentOS 7 as a non-root user service that runs on boot with
# systemd. This script also opens the firewall to allow syslog on UDP port 514. Since
# we're running Splunk as non-root, this port is then forwarded to 5514. Configuring a
# syslog input in slunk on UDP 514 will gather this data. Must be run as root
# Create Account
useradd splunk
groupadd splunk
# Install RPM from CLI argument
yum -y install $1
# Set environment var permanently and then for this session
echo "export SPLUNK_HOME=/opt/splunk" > /etc/profile.d/
export SPLUNK_HOME=/opt/splunk
# Set ownership on SPLUNK_HOME
chown -R splunk:splunk $SPLUNK_HOME
# Firewall mods
# Allow web access on port tcp 8000, syslog on udp 5514
firewall-cmd --zone=public --permanent --add-port=8000/tcp
firewall-cmd --zone=public --permanent --add-port=5514/udp
# Forward syslog input to high port for non-root, allow port 80 for http
firewall-cmd --direct --permanent --add-rule ipv4 nat PREROUTING 0 -p udp -m udp \
--dport 514 -j REDIRECT --to-ports 5514
firewall-cmd --direct --permanent --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp \
--dport 80 -j REDIRECT --to-ports 8000
# Reload firewall
firewall-cmd --reload
# Create Systemd Unit file
echo "[Unit]
Description=Splunk Enterprise
ExecStart=/opt/splunk/bin/splunk start
ExecStop=/opt/splunk/bin/splunk stop
ExecReload=/opt/splunk/bin/splunk restart
[Install]" > /usr/lib/systemd/system/splunk.service
# Link the Unit File as a service
ln -sf /usr/lib/systemd/system/splunk.service \
# First Run
sudo -H -u splunk $SPLUNK_HOME/bin/splunk start --accept-license
echo "You should now restart your machine, Splunk will run on boot"

This comment has been minimized.

Copy link
Owner Author

stamler commented Dec 10, 2014

To use this, download the Splunk RPM to the same dir as this script then sudo ./ splunk-installer.rpm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.