In our previous discussion, we explored the benefits of Security Information and Event Management (SIEM) tools in incident response. Today, we’re taking a practical step forward by setting up a Splunk instance on a Linux virtual machine (VM). This guide will walk you through the installation process and demonstrate how to access Splunk from a client machine.
Splunk is a software platform used for collecting, indexing, searching, and analyzing machine-generated data in real-time. It provides insights and operational intelligence across IT, security, and business environments. As a SIEM tool, Splunk collects, correlates, and analyzes security-related information from various sources within an organization’s network, such as network devices, servers, applications, and endpoints.
Prerequisites
Step 1: Set Up the Operating System
Before we begin, we need to install Operating System where we will be running our Splunk Tool from, we can install lite version, which doesn’t take up much space on our hardware and runs on terminal.
Ubuntu Server is a great lite weight OS that build for servers without any background software that could slow the machine or interfere with server operation .
- Download Ubuntu Server LTS: Visit the Ubuntu website and download the latest Long Term Support (LTS) version of Ubuntu Server.
- Set Up VirtualBox:
- Create a new VM in VirtualBox.
- Use the Ubuntu Server ISO you downloaded to set up the VM.
- Ensure the network connection is set to Bridged Adapter to allow communication between the VM and the host machine.
- Run the VM: Start the VM and follow the on-screen instructions to complete the installation of Ubuntu Server.
- Update Installation Packages:
- Once the Ubuntu Server is up and running, open the terminal and update the system packages using the following command:
sudo apt-get update && apt-get upgradeStep 2: Installing Splunk on Ubuntu
- Register on the Splunk Website: Go to the Splunk website and register for an account to download Splunk Enterprise.
- Download Splunk Enterprise:
- After registering, navigate to the downloads section.
- Click on the
- Download Splunk via Command Line:
- On your Ubuntu Server, navigate to the
/tmp/directory using cd /tmp/ - Use the wget command to download the Splunk .tgz file using the link you copied:
- On your Ubuntu Server, navigate to the
- Extract Splunk Files:
- Once the download is complete, navigate to the /opt/ directory using cd /tmp/
- Extract the downloaded .tgz file into the /opt/ directory using
- This will create a
splunkdirectory in /opt/, containing a fully-fledged Splunk installation.
- Install Splunk:
- Run the following command to start Splunk for the first time and accept the license agreement: sudo /opt/splunk/bin/splunk start –accept-license
- During the initial run, you’ll be prompted to create an administrator account. Follow the prompts to set up your credentials.
- Access Splunk:
- Once the setup is complete, you can access the Splunk web interface using the following URL: https://127.0.0.1:8000
- Alternatively, replace
127.0.0.1with your server’s hostname or IP address if accessing from a different machine: https://<servername>:8000
- Enable Splunk to Start at Boot:
- To ensure Splunk starts automatically with the system, run the following command: sudo /opt/splunk/bin/splunk enable boot-start
- Accessing the Splunk Dashboard:
- Now, you can log in to the Splunk Dashboard using the admin credentials you created. You should see the Splunk Home Page, ready for use.
Installing Splunk on Ubuntu: A Visual Walkthrough
.tgz file
/tmp/ folder and Extract .tgz file to /opt/ directory, where splunk should live
What’s Next?
In the next post, we will dive into ingesting logs from Office 365 into Splunk. This will allow us to monitor and analyse security events and user activity within the Office 365 environment. Stay tuned for a step-by-step guide on setting up log ingestion to enhance your security monitoring capabilities.