Alex's Second 🧠

    Installing Splunk

    In the early 2020's, I spent a lot of free time on GTA Roleplay servers, serving as staff. GTA-RP is basically where people are roleplaying as characters in the world of grand theft auto. Rules vary from server to server on what you are not allowed to do, but in general, it's commonly understood that you shouldn't just shoot random people or drive your car into crowds of people. Often times when someone is "failing" roleplay, or if someone is cheating using third party exploits, other players will put in reports with the staff so we can address it. Trollers creating poor roleplay can cripple a servers population and reputation, because no one who wants to roleplay wants to do it in a place that's constantly having trolls ruin the experience, so staff has to handle situations quickly. The only information most server owners have is the what the reporter tells them. This is usually flawed, or at best incomplete. Intermediate and advanced server teams implement some logging via API to discord, but anyone who has spent hours searching and sifting through discord GTA logs can tell you, they are absolutely helpful, but the experience is far from optimal, and is very time consuming.

    We needed an Enterprise logging solution, and this is what lead me to put Splunk on a linode. Linode is just a cloud VPS provider. I chose debian for the OS but most of the time, people who care enough to purchase splunk will be putting it on something like Red Hat (RHEL) or CentOS, because they are security based. Once you logon to your server you want to put splunk on. Download the software with:

    wget -O splunk.tgz "https://shorturl.at/T59T8"

    Ok. Now we just need to extract the file.

    tar xvzf splunk.tgz -C /opt

    Once that's done, best practice says don't run splunk as root so maybe make a splunk user.

    useradd splunk

    Then give this new extracted files over to this new user

    chown splunk:splunk -R /opt/splunk

    Last thing as root, we need to open up some firewall rules. If you don't have firewalld already:

    sudo apt install firewalld -y

    Once that's done:

    firewall-cmd --add-port=9997/tcp

    firewall-cmd --add-port=8089/tcp

    firewall-cmd --add-port=8000/tcp

    firewall-cmd --runtime-to-permanent

    Ok, now we'll switch over to the splunk user and start splunk up

    su - splunk

    /opt/splunk/bin/splunk start --accept-license

    It will ask you to create a username and password for the admin account, so go ahead and do that, but remember it, cause you'll need in a second!

    admin username:

    password:

    confirm password:

    And just like that, Splunk should be running for you! If you open a browser and punch in your server's IP (or local host if you're on the server) you should get to a login page!

    localhost:8000