この記事について
Splunkの学習をするため、個人的に小規模な仮想マシン上にSplunk Enterprise 9.4.0(シングル構成)を構築した際の手順。
前提条件
今回構築に使用した機材性能。今回の構築は個人学習なので、本番環境に構築する際は公式ドキュメントを確認する必要がある。
| OS | Ubuntu 22.04(*) |
|---|---|
| インストール対象Splunk | Splunk Enterprise 9.4.0(splunk-9.4.0-6b4ebe426ca6)シングル構成 |
| vCPU | ≥ 2 Cores(**) |
| Memory | ≥ 4GiB(**) |
| NIC | 1Gb Ethernet |
| Storage | 150GiB(※用途に応じて変更) |
(*)全てのサポートOSは公式ドキュメントを参照
(**)今回動作が確認できた値。公式値は異なる。
This represents the minimum basic instance specifications for a production grade Splunk Enterprise deployment. A single-instance represents an S1 architecture in SVA:
- An x86 64-bit chip architecture
- 12 physical CPU cores, or 24 vCPU at 2 GHz or greater speed per core.
- 12 GB RAM.
- For storage, review the Indexer recommendation in What storage type should I use for a role?
- A 1 Gb Ethernet NIC, optional second NIC for a management network.
- A 64-bit Linux or Windows distribution. See Supported Operating Systems in the Installation Manual.
手順
-
任意のディレクトリにdebファイルをwgetする。
xxx@xxx:~$ wget -O splunk-9.4.0-6b4ebe426ca6-linux-amd64.deb "https://download.splunk.com/products/splunk/releases/9.4.0/linux/splunk-9.4.0-6b4ebe426ca6-linux-amd64.deb" -
debファイルをdpkgコマンドでインストールする。
xxx@xxx:~$ sudo dpkg -i splunk-9.4.0-6b4ebe426ca6-linux-amd64.deb # [sudo] password for xxx: # Selecting previously unselected package splunk. # (Reading database ... 86615 files and directories currently installed.) # Preparing to unpack splunk-9.4.0-6b4ebe426ca6-linux-amd64.deb ... # no need to run the pre-install check # Unpacking splunk (9.4.0) ... # Setting up splunk (9.4.0) ... # complete -
/opt/splunk以下に関連ファイルが生成されていることを確認する。xxx@xxx:~$ cd /opt/splunk/ xxx@xxx:/opt/splunk$ ls # bin copyright.txt etc ftr include lib license-eula.txt LICENSE.txt openssl opt quarantined_files README-splunk.txt share splunk-9.4.0-6b4ebe426ca6-linux-amd64-manifest swidtag -
root権限下で以下のコマンドでsystemdにデーモンとして登録し、自動起動の設定を行う。このコマンドではSplunkの起動は行われない。
xxx@xxx:/opt/splunk$ sudo su root@xxx:/opt/splunk# cd bin root@xxx:/opt/splunk/bin# ./splunk enable boot-start -systemd-managed 1 -
systemdがデーモンとしてenabledになっていることを確認する。
root@xxx:/opt/splunk/bin# systemctl list-unit-files --type=service | grep Splunk # Splunkd.service enabled enabled -
splunk startでSplunkを起動する。ただし4,5をrootで作業した場合、以下のエラー
Permission Deniedが発生してSplunkバイナリが起動しない。root@xxx:/opt/splunk/bin# ./splunk # splunk splunkd splunkmon splunk-optimize splunk-optimize-lex splunk-preinstall splunk-tlsd root@xxx:/opt/splunk/bin# ./splunk start # Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied # Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied # Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied # Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied # Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied # # Splunk> CSI: Logfiles. # # Checking prerequisites... # Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied # Checking http port [xxxx]: Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied # open # Checking mgmt port [xxxx]: Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied # open # Checking appserver port [127.0.0.1:xxxx]: Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied # open # ERROR - Failed opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied # Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied # Traceback (most recent call last): # File "/opt/splunk/lib/python3.9/site-packages/splunk/clilib/cli.py", line 38, in <module> # import splunk.auth as auth # File "/opt/splunk/lib/python3.9/site-packages/splunk/auth.py", line 9, in <module> # import splunk.entity as en # File "/opt/splunk/lib/python3.9/site-packages/splunk/entity.py", line 11, in <module> # import splunk.rest as rest # File "/opt/splunk/lib/python3.9/site-packages/splunk/rest/__init__.py", line 32, in <module> # import splunk.ssl_context # File "/opt/splunk/lib/python3.9/site-packages/splunk/ssl_context.py", line 35, in <module> # import splunk.mining.dcutils as dcu # File "/opt/splunk/lib/python3.9/site-packages/splunk/mining/dcutils.py", line 79, in <module> # pythonLogHandler = logging.handlers.RotatingFileHandler(filename=os.path.join(os.environ['SPLUNK_HOME'], 'var', 'log', 'splunk', 'python.log'), mode='a', maxBytes=scannedMaxBytes, backupCount=scannedMaxBackupIndex) # File "/opt/splunk/lib/python3.9/logging/handlers.py", line 153, in __init__ # BaseRotatingHandler.__init__(self, filename, mode, encoding=encoding, # File "/opt/splunk/lib/python3.9/logging/handlers.py", line 58, in __init__ # logging.FileHandler.__init__(self, filename, mode=mode, # File "/opt/splunk/lib/python3.9/logging/__init__.py", line 1166, in __init__ # StreamHandler.__init__(self, self._open()) # File "/opt/splunk/lib/python3.9/logging/__init__.py", line 1195, in _open # return open(self.baseFilename, self.mode, encoding=self.encoding, # PermissionError: [Errno 13] Permission denied: '/opt/splunk/var/log/splunk/python.log' # Error running pre-start tasksこの問題は、
/opt/splunk/ディレクトリ以下にあるファイルの所有者がrootである場合に発生する。Splunkデーモンはsplunkユーザーとして実行されるため、所有者がrootのファイルにアクセスすることができない。そのため、
chown -R splunk:splunk /opt/splunkを実行してファイル所有者・グループをsplunkに変更する。root@xxx:/opt/splunk/bin# chown -R splunk:splunk /opt/splunk -
./splunk startコマンドでsplunkを起動させることができる。
Splunkdがデーモンとして登録されているため、linuxマシンを再起動すると同時にSplunkも自動起動する。root@xxx:/opt/splunk/bin# ./splunk start # # Splunk> CSI: Logfiles. # # Checking prerequisites... # Checking http port [xxxx]: open # Checking mgmt port [xxxx]: open # Checking appserver port [127.0.0.1:xxxx]: open # Checking kvstore port [xxxx]: open # Checking configuration... Done. # Creating: /opt/splunk/var/lib/splunk # Creating: /opt/splunk/var/run/splunk # Creating: /opt/splunk/var/run/splunk/appserver/i18n # Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css # Creating: /opt/splunk/var/run/splunk/upload # Creating: /opt/splunk/var/run/splunk/search_telemetry # Creating: /opt/splunk/var/run/splunk/search_log # Creating: /opt/splunk/var/spool/splunk # Creating: /opt/splunk/var/spool/dirmoncache # Creating: /opt/splunk/var/lib/splunk/authDb # Creating: /opt/splunk/var/lib/splunk/hashDb # Creating: /opt/splunk/var/run/splunk/collect # Creating: /opt/splunk/var/run/splunk/sessions # New certs have been generated in '/opt/splunk/etc/auth'. # Checking critical directories... Done # Checking indexes... # Validated: _audit _configtracker _dsappevent _dsclient _dsphonehome _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary # Done # Checking filesystem compatibility... Done # Checking conf files for problems... # Done # Checking default conf files for edits... # Validating installed files against hashes from '/opt/splunk/splunk-9.4.0-6b4ebe426ca6-linux-amd64-manifest' # All installed files intact. # Done # All preliminary checks passed. # # Starting splunk server daemon (splunkd)... # Generating a RSA private key # (...) # Getting CA Private Key # unable to write 'random state' # writing RSA key # Done root@xxx:/opt/splunk/bin# ./splunk status # splunkd is running (PID: xxxxxx). # splunk helpers are running (PIDs: xxxxxx xxxxxx). # root@xxx:/opt/splunk/bin# systemctl status Splunkd # ● Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start' # Loaded: loaded (/etc/systemd/system/Splunkd.service; enabled; preset: enabled) # Active: active (running) since Sat xxxx-xx-xx xx:xx:xx UTC; xx days ago # Process: xxxxxxx ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/system.slice/Splunkd.service (code=exited,> # Main PID: xxxxxxx (splunkd) # Tasks: 310 (limit: 4602) # Memory: 1.7G (max: 1.9G available: 200.1M peak: 1.9G swap: 426.5M swap peak: 463.2M) # CPU: xd xxh xxmin xx.xxxs # CGroup: /system.slice/Splunkd.service # ├─xxxxxxx splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd # (...) # └─xxxxxxx "[splunkd pid=xxx] [search-launcher] [process-runner]" # # xxx xx xx:xx:xx xxx splunk[xxx]: Done # xxx xx xx:xx:xx xxx splunk[xxx]: Checking filesystem compatibility... Done # xxx xx xx:xx:xx xxx splunk[xxx]: Checking conf files for problems... # xxx xx xx:xx:xx xxx splunk[xxx]: Done # xxx xx xx:xx:xx xxx splunk[xxx]: Checking default conf files for edits... # xxx xx xx:xx:xx xxx splunk[xxx]: Validating installed files against hashes from '/opt/splunk/splunk-9.4.0-6b4ebe4> root@xxx:/opt/splunk/bin#