🖥️
Portfolio
  • About me
  • My Mission
  • License
  • Homelab
    • Server rack
      • Pictures
      • Hardware and software inventory
    • Test range
      • Malware lab
        • Remnux and Flare VM installation
      • Proxmox
        • How to backup VM's in Proxmox
      • Breach and Attack Simulation (BAS)
        • Install MITRE Caldera
        • MITRE Caldera demo
        • Install Atomic Red team
    • SIEM Architecture
      • ELK installation
      • Splunk install and configuration
      • Forwarding Sysmon logs to Splunk
      • Cribl Edge -> Cribl Stream
      • Cribl Edge -> Splunk
      • Cribl -> Amazon S3 bucket
    • Raspberry Pi
      • Cloudflare DDNS
      • OpenVPN on Raspberry Pi
      • Pi-Hole
      • Raspberry Pi project ideas
    • Privacy
  • CTF
    • Machines
      • MongoDB
      • Explosion
      • Lame
      • Preignition
      • Jerry
      • Synced
      • Appointment
      • Blue
      • Sequel
      • Netmon
    • PicoCTF
    • Exploit tool definitions
    • Cheat sheets
      • tmux
      • Linux
  • Cybersecurity
    • Purple team content
      • Detecting Discovery commands
    • Detection As Code (DAC)
      • Sigma CI/CD
      • DAC with Elastic SIEM
    • Use case repositories
    • Frameworks
    • Tools
    • Online resources
      • MITRE
      • Splunk
      • Machine Learning
      • Ethical Hacking
      • Podcasts
      • Threat Reports
      • Detection Engineering articles
  • AI/ML
    • Tools
      • D.I.A.N.A
      • Fabric
      • Run Ollama locally
      • Using Ollama & Fabric to build Sigma rules
    • Custom prompts
      • Lessons Learned
      • Create Sigma rules
  • Scripts
    • Python
      • Elastic DAC pipeline
  • Cloud projects
    • Cloud Resume Challenge - AWS
  • BOOK CLUB
    • Lists
Powered by GitBook
On this page
  1. Homelab
  2. SIEM Architecture

Splunk install and configuration

PreviousELK installationNextForwarding Sysmon logs to Splunk

Last updated 6 months ago

Splunk is a Security Information and Event Management (SIEM) platform designed to search, monitor, and analyze machine-generated data in real-time. It helps organizations transform raw data from various sources, such as logs and events, into valuable insights, enabling them to troubleshoot issues and enhance security. In this blog, we will install and configure Splunk Enterprise on our machine, and then deploy a universal forwarder to capture and send Windows event logs to our Splunk instance.

This guide assumes that you already have Splunk installed on your machine and can access the GUI interface. If you haven't downloaded the free Enterprise version of Splunk, go to https://www.splunk.com/en_us/download.html to download it.

To start, go to "Forwarding and Receiving" under "Settings."

Select "Add new" under "Receive data."

The default port Splunk listens on is 9997.

Next, install a Splunk forwarder on your host. A forwarder is defined as a "Splunk Enterprise instance that forwards data to another Splunk Enterprise instance, such as an indexer or another forwarder, or to a third-party system."

If you are using a Windows machine, execute the .msi file in your directory of choice, and accept the the default configuration settings.

Next, create an "inputs.conf" file in the C:\Program Files\SplunkUniversalForwarder\etc\system\local directory. In this input file, you can add the log sources you want to forward to your Splunk indexer. A Splunk indexer is defined as "the repository for data. When the Splunk platform indexes raw data, it transforms the data into searchable events."

Add the following lines to your file to ingest Windows Event logs into Splunk:

disabled=0
[WinEventLog://Security]
disabled=0
[WinEventLog://System]
disabled=0

Navigate to your Splunk web interface and type index=main in the search bar to populate your Windows Event logs.

You can add a Microsoft Windows Technical Add-On (TA) to automatically apply event types and tags to your logs. Navigate to "Apps," then "Find More Apps." In the search bar, type "Windows," and you will find the official TA. Select "Install" to deploy it to your Splunk instance.

If you want your data to be CIM compliant, you can also install the Splunk Common Information Model TA. We will not go deeper into data models in this guide, but more information about CIM can be found at this link: https://docs.splunk.com/Splexicon:CommonInformationModel.

LogoUniversal Forwarder for Remote Data Collection | SplunkSplunk