Splunk Enterprise with remote Hosts
Description
This is a sample project to setup a Splunk SIEM lab and forward alerts and events from remote hosts to the splunk server for monitoring and analysing
Prerequisites
- Virtual box
- Ubuntu server iso for hosting our Splunk server
- Windows machine (here using windows 7)
- Splunk Enterprise Edition and Splunk forwarder (we can get a 14 day trial version from Splunk to use the enterprise edition)
Setup
- Create 2 VM in Virtual box with Bridged network adapter and enabling Promiscuous mode
- 1 VM with Ubuntu server and other with Windows 7
1. Setting Up Splunk Server
Splunk is a SIEM used to analyze data and logs produced by systems. For using splunk, we need to import the logs and data to Splunk for analysis. Splunk has an Universal Forwarder which allows the remote hosts to forward data to the splunk server for monitoring. Splunk also provides with robust visualization and reporting tools to identify data that interests and provides results and visualize answers in the form of report, chart, graph etc … This is used by security team to identify and respond to internal and external attacks
->Regiter in Splunk with an account and download the Splunk Enterprise(Free Trial)
->Download the Splunk enterprise to the Ubuntu-Server VM and install
->The Splunk Enterprise would be installed in the /opt directory
->cd to /opt/splunk/bin and enable boot-start with the command
Sudo /opt/splunk/bin/splunk enable boot-start
->Accept the license and provide an username and password for the administrator account
->Splunk web console is using port 8000, so we need to allow port 8000 on firewall
Checking the status of ufw - "sudo ufw status"
Enabling ufw - "sudo ufw enable"
Adding firewall rule - "sudo ufw allow 8000"
->Starting splunk
sudo /opt/splunk/bin/splunk start
->Browse to the “serverip:8000” to access the splunk server
->Login using the created credentials and we would be able to see the Splunk Enterprise
2. Configuring Splunk server to receive logs
->Click on the settings > Forwarding and Receiving
->Click on Configure Receiving
->Click new receiving port and add the port (9997) from which the data is being forwarded from
->Go back to home and now seleect Indexes on settings
->Create a new index, name it and save, Here the name is “windows”
3. Installing Splunk Forwarder on Windows(host) machine
->Logon to the windows host machine and download Splunk Forwarder
->Install Splunk Forwarder on the Machine
->Agree license and select “On-Premise Splunk option”
->Create an username and password > next
->Click next as we would setup the receiving indexer
->Enter the IP address of the splunk server and the port (9997) we enabled on splunk to listen
->Click next and install
3. Finalizing the host setup
->After the installation is done, we need to add the index name to the windows machine ->Go to the installed path of the splunk forwarder
c:\\program files\\SplunkUniversalForwarder\\etc\\apps\\SplunkUniversalForwarder\\local
->We would be able to find the inputs.conf file
->open it in notepad and add the index name that we created in splunk at the end of all event (Here it is index= windows)
->Check whether the Splunk server is configured correctly in the host
c:\\program files\\SplunkUniversalForwarder\\etc\\system\\local
->Open and check the outputs.conf file
->Now we need to open the port 9997 on the firewall to finalize the connection
->Go to “windows defender firewall with advanced security”
->Select inbound rule on the left and create a new rule "
->Set Rule Type as Port
->Select protocol as UDP and specify the port (9997)
->Use the default on Action (Allow the connection) and profile (Check all three on profile)
->Add a name and description, click finish
->Finally restart the splunk forwarder service in the services.msc
->After the service got resatrted go to the Search and Reporting option in Splunk Server
->Click on Data Summary and we would be able to see the hosts and Sources got populated from windows machine
Now the logs from Windows machine would get imported into our Splunk server and Splunk would be able to provide analysis of it