Installing Splunk on Windows 2008R2

Installing splunk on windows

Today, I downloaded and installed Splunk (http://www.splunk.com) which is a “Security Information and Event Management” (SIEM) tool. Or, to put it another way, the big brother to a regular syslog server. Splunk is touted (by its company) as providing “Operational Intelligence” to normal IT functions like debugging why a web server went down, or what happened just before a server crashed. In any case, I was interested because I wanted to correlate events happening in Windows event logs, in Linux syslogs, and in networking SNMP traps.

Here are tips on installing Splunk:

  1. Download the software:
    • Surf to http://www.splunk.com/get?r=header
    • Fill out a web form requesting the software…
    • Couple of minutes later, an URL will appear in your email
    • Click the URL and download the software
  2. Start installing the software:
    • Run the executable for your operating system… I selected the 64-bit version for Windows 2008R2.
    • Confirm with Windows that you really do want to run the executable, click the Run button.
    • Confirm with Splunk that you want to install, click the Next button.
    • Select the “Agree…” radio button and click the Next button.
    • Click the Next button to install in the default location.
  3. Decide how you will run the software:
    • If using a domain, create a domain user in active directory (AD).
    • Give that user the rights to run as a service.
    • Make certain the machine on which you are installing is a member of the domain…
    • Put the new domain user into the domain administrator’s group.
    • Select the “Other User” radio button, and then enter domain credentials.
    • Otherwise, if not in a domain, or not collecting Windows events, run as “Local System User”.
    • Either way, click the Next button.
  4. Complete the installation:
    • Click the Install button.
    • Leave both checkboxes checked, and click the Finish button.

The decisions you make in step three are important because you need the necessary rights to have Splunk query Windows machines within a domain for their Windows events logs. See this link for further information: http://splunk-base.splunk.com/answers/495/while-setting-up-a-windows-eventlog-collection-input-why-do-i-get-an-http-500-access-is-denied-error — and avoid the error I encountered! Once you get this working, you can try to tighten security by removing the domain user from the domain administrator’s group and giving it the individual rights it requires.