Deploy a Virtualized Splunk Server

Create your own Splunk Enterprise SIEM Lab



Why?

Splunk is a System Information and Event Management (SIEM) system used for collecting, searching, and analyzing machine-generated data from servers, network devices, and even applications. Setting up Splunk Enterprise on a Linux machine at home is an excellent way to build hands-on skills with a widely-used tool in cybersecurity and IT operations. By working with Splunk, we can learn to manage and query data effectively, which are essential skills for identifying security threats and resolving technical issues. This project will have us install Splunk Enterprise on a Rocky Linux system, a community-supported GNU/Linux Operating System alternative to Red Hat Enterprise Linux (RHEL), which is widely used in enterprise Linux environments.


How?

To virtualize a simple SIEM environment, we are going to create two seperate virtual machines. You will require a virtual hypervisor of your preference, although I am doing this on a a bare-metal hypervisor (ProxMox VE node).

Instructions:


1) Install `wget`, Rocky Linux minimal install does not have `wget` installed.

    sudo dnf install wget

   
2) Download the latest Splunk Enterprise RPM and its SHA512 hashsum. You will have to login to grab latest RPM package and its hashsum. Thankfully Splunk even generates a prepared `wget` command for the latest package.  

3) Generate SHA512 hashsum to verify file integrity by comparing it to the hashsum you downloaded.

    sha512sum [Splunk RPM Filename]

   and

    cat [Splunk RPM Filename].sha512

   
   If hashsums do not match, your file integrity is compromised!


4)  Install RPM package.

       sudo rpm -iv [Splunk RPM Filename]

        -i : Install
        -v : verbose


5) Start Splunk using the following command and accept the EULA.

    sudo /opt/splunk/bin/start

   
6) Create dashboard administrator credentials.
   
7) Add firewall rule to add the web dashboard, API socket, and to send logs from Forwarders.

    sudo firewall-cmd --add-port=8000/tcp --permanent
    sudo firewall-cmd --add-port=8089/tcp --permanent
    sudo firewall-cmd --add-port=9997/tcp --permanent

   

   Confirm added ports to firewall rules:

    sudo firewall-cmd --list-all | grep -m 1 ports

   
   Reload firewall rules

    sudo firewall-cmd --reload

 
 
8) Manually start the Splunk service to accept any terms and conditions and set any configurations for the first time.

    sudo -u splunk /opt/splunk/bin/splunk start

9) We are going to automate updating the system, and starting the Splunk server after the OS loads.

First we need to give the splunk user and group ownership of all the files within /opt/splunk

    sudo chown -R splunk:splunk /opt/splunk


Create the /etc/systemd/system/splunker.service a systemd service to have it run this script at start up. 

    vim /etc/systemd/system/splunker.service

Contents of /etc/systemd/system/splunker.service:

[Unit]
Description=Splunk systemd service
After=network.target

[Service]
Type=forking
User=splunk
Group=splunk
ExecStart=/opt/splunk/bin/splunk start
ExecStop=/opt/splunk/bin/splunk stop
Restart=on-failure
RestartSec=15s

[Install]
WantedBy=multi-user.target

Modify splunker.service  to be able to be executed once the OS is rebooted.

    sudo systemctl enable  /etc/systemd/system/splunker.service

Once your machine is restarted or you manually run the ~/scripts/start.sh BASH script, your Splunk Enterprise server will start. Once it is loaded you can access the Splunk Dashboard from a remote computer's web browser:

URL: http://SERVERIPADDRESS:8000/
   

Location: San Antonio, TX, USA

Comments

Post a Comment

Popular posts from this blog

SOC Analyst: Phishing Email Analysis

Image
Everyone is looking to level up in their career, and getting a job interview or offer email can be exciting. But sometimes, those emails aren’t what they seem, they’re fake recruitment scams trying to trick you. I came across a perfect example and want to show what I did to confirm my suspicions and what steps I took to report the email, and its domain.      Steps we will take to confirm, and take action: 1) General Social Engineering Red Flags 2) Context and Content Integrity Check 3) Domain Investigation 4) Certificate Investigation 5) Email Header Analysis 6) Reporting the Email Tools we use and/or discuss - VirusTotal - WHOIS.com - MXToolbox - Joe's Sandbox - PhishTank - OpenPhish General Social Engineering Red Flags The email contains no links to their organization's homepage, easy online contact information, nor LinkedIn page. Furthermore, by searching for the official website of Evernow and confirming their logo is the same, they are using a different domain for th...
Read more

Common SPL Commands

Image
  NOTE: I am using datasets provided by Hailie Shaw's " Splunk: Zero to Power User " Udemy course. My results will vary from your own test and live production datasets. Do not perform the queries in this article on equipment and services you do not own, have permission, or do not fully understand what the query does. Common SPL Commands Here are some command SPL commands that you will typically use in your queries to narrow down events in your searches.  Source:  SPL2 Command Quick Reference stats           Calculates aggregate statistic over the incoming search results set. eval             Calculates an expression and puts the resulting value into a search results field. table           Displays selected fields in a table format rex               Command to ...
Read more

Endlessh: SSH Honeypot Analysis

Image
This lab we will use Kali Linux, tcpdump, netcat, NMap, Wireshark, and Hydra. We will be analyzing traffic being sent to a server running endlessh, a honeypot service to thwart or delay automated scans and (possibly) bruteforce SSH attacks.  Purpose:  1) Assess what endlessh is successful at doing 2) Confirming what are its limitation in thwarting attacks 3) What an adversary would face 4) What we could implement in substitute or in addition to further dissuade threats to our network. Skeeto's Github repo of Endlessh Part 1: Set up our victim server Part 2:  Set up Honeypot service Part 3: Attacking and Analysis  Part 4: Closing Notes
Read more