Skip to content

Deployment Overview of Splunk Enterprise on Server

Prerequisites and Basic Requirements

The deployment of Splunk Enterprise on the server requires the following conditions to be met:

  • Operating System: Linux-based system with Docker and Docker Compose installed.

  • Privileges: Root access or sudo privileges are required to create directories, manage Docker containers, and configure the proxy.

  • Domain: The server must be associated with the hostkey.in zone.

  • Ports: Ports 80, 443, and 8000 must be available for external and internal communication.

FQDN of the Final Panel

The application is accessible via the following Fully Qualified Domain Name (FQDN) on the hostkey.in domain:

  • splunk<Server ID>.hostkey.in:443

Note: Replace <Server ID> with the specific identifier assigned to the server instance. The application is served over HTTPS on port 443.

File and Directory Structure

The deployment utilizes the following directory structure on the host system:

  • /root/splunk: The primary directory containing the Docker Compose configuration and related files.

  • /root/splunk/compose.yml: The Docker Compose file defining the services and their configurations.

  • /data/nginx/user_conf.d: The directory containing custom Nginx configuration files for the proxy.

  • /etc/letsencrypt: The mount point for SSL/TLS certificates managed by Certbot within the Nginx container.

Application Installation Process

The application is deployed using Docker Compose. The installation process involves the following steps:

  1. The /root/splunk directory is created with root ownership and 0644 permissions.

  2. A compose.yml file is generated within /root/splunk, defining the Splunk and Nginx services.

  3. The Docker Compose stack is started using the docker compose up -d command, which launches the containers in detached mode.

  4. The Splunk container uses the splunk/splunk:latest image.

  5. The Nginx container uses the jonasal/nginx-certbot:latest image to handle SSL termination and reverse proxying.

Docker Containers and Their Deployment

The deployment consists of two primary Docker containers defined in the compose.yml file:

  • splunk:

  • Image: splunk/splunk:latest

  • Restart Policy: unless-stopped

  • Internal Port: 8000

  • Environment Variables:

    • SPLUNK_START_ARGS: Set to --accept-license to automatically accept the license agreement.

    • SPLUNK_PASSWORD: Configured dynamically based on the SSH password used for the host connection.

  • nginx:

  • Image: jonasal/nginx-certbot:latest

  • Restart Policy: unless-stopped

  • Ports: 80 and 443 exposed to the host.

  • Environment Variables:

  • Volumes:

    • nginx_secrets: Mounted to /etc/letsencrypt for certificate storage.

    • /data/nginx/user_conf.d: Mounted to /etc/nginx/user_conf.d for custom configurations.

  • Dependencies: Depends on the splunk service.

Proxy Servers

The deployment includes an Nginx reverse proxy configured with Certbot for SSL/TLS management:

  • Nginx Configuration: The jonasal/nginx-certbot image handles the reverse proxying of traffic from ports 80 and 443 to the internal Splunk service on port 8000.

  • SSL/TLS: Certbot is integrated to automatically obtain and renew SSL certificates for the domain splunk<Server ID>.hostkey.in.

  • Custom Domain: The proxy is configured to serve the application under the hostkey.in zone with the specific prefix splunk.

  • Path Configuration: The external path is set to /, and the internal path is empty, routing all traffic directly to the Splunk interface.

Permission Settings

The following permission settings are applied to the deployment directories:

  • /root/splunk:

  • Owner: root

  • Group: root

  • Mode: 0644

  • /root/splunk/compose.yml:

  • Owner: root

  • Group: root

  • Mode: 0644

Location of Configuration Files and Data

  • Docker Compose File: /root/splunk/compose.yml

  • Nginx Custom Configurations: /data/nginx/user_conf.d

  • SSL Certificates: Stored within the nginx_secrets volume, mapped to /etc/letsencrypt inside the Nginx container.

  • Splunk Data: Persisted within the Docker container's internal storage; no explicit host volume mapping for Splunk data is defined in the provided configuration.

Available Ports for Connection

The following ports are configured for external and internal access:

  • Port 80: HTTP traffic for initial SSL certificate validation by Certbot.

  • Port 443: HTTPS traffic for secure access to the Splunk web interface.

  • Port 8000: Internal port used by the Splunk container; not directly exposed to the public internet but accessible via the Nginx proxy.

Starting, Stopping, and Updating

The Docker Compose stack is managed using the following commands executed from the /root/splunk directory:

  • Start the services: 

    docker compose up -d

  • Stop the services: 

    docker compose down

  • Update the services: To update the containers to the latest versions of the images, pull the new images and restart the stack: 

    docker compose pull
docker compose up -d

  • View logs: 

    docker compose logs -f

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×