Installing splunk on FreeBSD 10

Acquire software
First, register an account [] on the splunk website to get access to the downloads. When logged in with your freshly verified account, go to the download page [] for the enterprise version.

Download the package named “FreeBSD<n>” (at the time writing these instructions, <n> = 7). Easiest is to cancel the “Save file…” dialogue and instead go with the “Got wget? Get this URL” approach.

Use the URL to download the software package on your FreeBSD 10 server.

Configure FreeBSD
Add some configuration to the boot loader:

sysctl -a | egrep "kern.maxdsiz|kern.dfldsiz" | sed 's/: /="/' | awk '{print $0"\""}' >> /boot/loader.conf
echo "machdep.hlt_cpus=0" >> /boot/loader.conf

Reboot server for changes to take affect.

Install and start software
Uncompress the package contents in /opt:

mkdir /opt
tar zxvf splunk-*.tgz -C /opt
/opt/splunk/bin/splunk enable boot-start
service splunk start

Configure syslog
The standard syslog daemon in FreeBSD listens on UDP port 514 by default. We want splunk to take care of that, so to disable lets disable it by adding the syslogd flag -ss in /etc/rc.conf and restart the daemon.

echo 'syslogd_flags="-ss"' >> /etc/rc.conf
service syslogd restart

Let’s configure splunk to listen for remote logging on UDP port 514 instead for remote clients.

/opt/splunk/bin/splunk add udp -source 514 -sourcetype syslog -resolvehost true

Locally on the server, we should monitor /var/log.

/opt/splunk/bin/splunk add monitor /var/log

Now you have a working instance of Splunk! What is left todo is configure your clients to use it as a remote logging server… that is however out of the scope of these instructions.

Change to free license
With the free enterprise download (needed for the FreeBSD version), you received a trial license for 60 days. For home usage, you can just remove the trial license straight away and save you the hassle down the road in 60 days.

/opt/splunk/bin/splunk edit licenser-groups Free -is_active 1
service splunk restart