Splunk on Ubuntu 16.04
- change interface name to normal
vi /etc/default/grub
add net.ifnames=0 biosdevname=0 to GRUB_CMDLINE_LINUX line
grub-mkconfig -o /boot/grub/grub.cfg
reboot
- timedatectl set-timezone UTC, NTP enable local server
Ubuntu NTP: using timesyncd service
if using ntp, then stop and remove it
systemctl stop ntp
update-rc.d ntp disable
sysv-rc-conf to confirm
apt-get -y remove ntp
using timesyncd service
vi /etc/systemd/timesyncd.conf
NTP=0.cn.pool.ntp.org 1.cn.pool.ntp.org
systemctl start systemd-timesyncd
systemctl status systemd-timesyncd
- tune ulimit parameters
vi /etc/security/limits.conf- soft nofile 65535
- hard nofile 65535
- soft nproc 65535
- hard nproc 65535
Disable Transparent Huge Page
vi /etc/systemd/system/disable-thp.service
[Unit]
Description=Disable Transparent Huge Pages (THP)
[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag && echo '0' > /sys/kernel/mm/transparent_hugepage/khugepaged/defrag"
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl start disable-thp
systemctl enable disable-thp
reboot to take effect, ulimit -a to check
-
install splunk enterprise
under root privilege:
useradd -m splunk
tar zxf splunk.xxx.xxx.gz -C /opt
chown -R splunk:splunk /opt/splunk
su - splunk
/opt/splunk/bin/splunk start --accept-license
/opt/splunk/bin/splunk enable boot-start -user splunk ( should use root permission to run ) - ufw enable
ufw allow 8000