Installing splunk on CentOS 6.2 is pretty easy now.
First you need to head over to splunk.com and sign up for a free account. After signing up, choose the download link but dont download, instead on the right hand side you will see and option for "wget", click on that and copy the link they provide. Download the RPM version of the package
Currently this is (splunk-4.3.1-119532-linux-2.6-x86_64.rpm)
On your fresh install Centos 6.2, go to tmp and paste the wget command they give you.
Now enter rpm -ivh splunk-4.3.1-119532-linux-2.6-x86_64.rpm.
Once the install completes you will be able to navigate to your server IP or DNS name on port 8000 and see the gui. If you can't make sure to allow iptables to open that port:
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPTEnabled the forwarder ability by choosing Manager (top right of the screen in the black bar)
Then choose Forwarding and receiving
Select Configure receiving
Click on New and add a new port (Default is 9997)
Open that port in your firewall:
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9997 -j ACCEPTGreat, now how do you get data from remote servers?!
Use the splunk remote forwarder app http://www.splunk.com/download/universalforwarder
Do the same wget method on the server that you want to monitor.
rpm install like this:
rpm -ivh splunkforwarder-4.3.1-119532-linux-2.6-x86_64.rpm</a>Now to get it to work (the documentation is horrible splunk), use the following commands on the remote host that you are forwarding:
cd /opt/splunkforwarder
./splunk start --accept-license
./splunk enable boot-start
./splunk add forward-server xxx.xxx.xxx.xxx:9997 -auth admin:changeme
./splunk add monitor /var/log/That should do it and you should now see data coming into splunk from that remote server.
Work for you? Let others know below in the comments.