Setting Up Splunk Enterprise and Adding a Forwarder

Introduction

As I dive deeper into the world of SOC tools like Wazuh, 微软 Sentinel, and LimaCharlie, I've realized the importance of staying up-to-date with the latest technologies. One tool that's been on my radar—and is practically a must-know for any serious SOC analyst—is Splunk . It's like the Swiss Army knife of SIEM platforms, known for its versatility and widespread use in the cybersecurity world.

Plus, I've got another reason to dive into Splunk: I'm gearing up to tackle the Splunk Core Certified User exam. So, not only do I get to expand my knowledge, but I also get to add a shiny new certification to my resume.

In this first part of the series, we'll start by setting up Splunk Enterprise and adding a forwarder. It's all about getting hands-on and practical, because that's where the real learning happens.

Step 1: Setting Up Ubuntu Servers in Oracle VirtualBox:

• To kick off my Splunk home lab, I started by setting up the foundation: two Ubuntu servers. One will serve as the Splunk instance, while the other will function as a universal forwarder. I opted for Ubuntu servers and used Oracle VirtualBox to create and manage these virtual machines.

https://www.dhirubhai.net/pulse/defending-your-network-detecting-ssh-brute-force-attacks-chandran-ay4jc/

I have provided detailed instructions on setting up VirtualBox in the article linked above, please refer to it.

Step 2: Downloading and Installing Splunk Enterprise:

Now that I have my Ubuntu servers set up, it's time to bring Splunk Enterprise into the mix. Here's how I went about downloading and installing it:

• Visit the Splunk Website: I navigated to the Splunk website and used the wget command to download the version of Splunk Enterprise compatible with my Ubuntu operating system.

• Once the download was complete, I followed these instructions to install it:

dpkg -i splunk_package_name.deb        

Replace 'splunk_package_name.deb' with the name of the downloaded installation file."

• After installation, navigate to the Splunk directory and started the service by executing the following command:

./splunk start --accept-license        

You will be prompted to create a new username and password.

• Once Splunk is successfully started, you can find out the IP address of the machine where Splunk is running using the ifconfig command. Look for the IP address associated with the network interface you are using.

After obtaining the IP address, you can access the Splunk web interface by opening a web browser and entering the IP address followed by port 8000. For example, if the IP address is 192.168.1.100, you would enter https://192.168.1.100:8000 in the browser's address bar.

This should take you to the Splunk web interface where you can log in using the username and password you set up during the installation process.

Step 3: Configure Data Inputs:

Configuring data inputs in Splunk is essential for telling Splunk where to look for data to index. Splunk is a powerful platform for searching, analyzing, and visualizing machine-generated data. However, it doesn't automatically know where to find your data. Data inputs serve as the bridge between your data sources and Splunk.

• To configure data inputs, click on the "Settings" dropdown menu and select "Forwarding and Receiving."

• Click on 'Add new' next to the 'Configure Receiving' option under the 'Receive data' section.

• Here, we will enter port 9997. This port is the default port used by Splunk for receiving data from forwarders. It is specifically designated for the Splunk Indexer to listen for incoming data from Universal Forwarders.

Step 4: Install and Configure Universal Forwarder:

• Visit the Splunk website and use the wget command to download the required package.

• After the download finished, I proceeded to install it by following command.

dpkg -i splunk_package_name.deb        

Replace 'splunk_package_name.deb' with the name of the downloaded installation file."

• After installation, navigate to the Splunk directory and started the service by executing the following command:

./splunk start --accept-license        

• In configuring the universal forwarder to send data to my receiving indexer, I used the "add forward-server" command with arguments specifying the address and port of my receiving indexer.

./splunk add forward-server 192.168.183.130:9997        

• Next, I needed to instruct the universal forwarder about the data to send to the indexer. I used the "add monitor" command to specify the machine data I wanted to send. In this case, I directed the forwarder to send all logs located in the /var/log/syslog folder to Splunk for indexing.

./splunk add monitor -auth username:password /var/log/syslog        

Replace 'username:password' with your credentials.

Step 6: Verify Forwarder Configuration:

• In the Splunk web interface, under Data Summary, we can verify that the Splunk forwarder was correctly set up. Here, we see our Ubuntu VM listed as a host, and under the source, we find /var/log/syslog.

• In the Splunk web interface, within the 'Search & Reporting' app, I executed the query 'index=* sourcetype=syslog' to verify that the Splunk forwarder was correctly set up. Here, we can observe logs from /var/log/syslog.

• I discovered the Splunk Secure Gateway, which, when combined with the Splunk mobile app, allows users to receive notifications directly on their mobile devices and access Splunk data. This feature is particularly useful for SOC analysts or IT administrators who need real-time access to critical information, even when they're away from their desks.

That's all for this article. I'll be writing more articles that delve deeper into Splunk in the future. Thank you for taking the time to read it.

#Splunk #SOC #SIEM #Cybersecurity #InfoSec