Building Splunk#

As a part of the Home lab project, I’m functionally building a SOC. As SPLUNK is still the major player in this space (though far from the only one), it feels natural to build around this software.

I’m building on the Ubuntu Server Image (20.04.6 to be exact). The newer kernel of Ubuntu desktop isnt supported (you could use the older LTS). I’ve given it

  • 4 CPU

  • 8GB RAM

  • 128GB HDD

I’ve also built it using the minimal install - so we don’t have all that annoying bloatware. All I’ve added before starting the build is the most recent updates and net-tools.

Build#

As with all of my home lab, I’m building with free tools (where available), otherwise with trial licences. Splunk does both but I want the free one for now. The link to get started can be found here: https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/MoreaboutSplunkFree. There isn’t a download link for the ‘free’ version, you get it by downloading the enterprise trial and converting it to a free licence.

Create a login, navigate to the enterprise free download, and copy the wget link

Splunk_WgetLink.png

I just pull it to the /tmp directory, but just check it’s there.
Splunk_Downloaded.png

Extract it to the /opt directory
Splunk_Extract.png

Change to the /opt/splunk/bin Directory
Splunk_ChangeToBin.png

Next is the part where we are supposed to run the first time setup. No worky though
Splunk_AttemptStart.png

Set the SPLUNK_HOME environment and run again (you may need to run this as root).
Splunk_FirstTime.png

If you’ve done it all fine, you’ll get the EULA to accept. If you do, it will then ask for an administrator user and password. Set these and let the server boot up. Wait until you see the server is online
Splunk_Built.png

Then try bring it up. I’m on a CLI environment so opening it from my Snort box.
Splunk_Login.png

Converting to Free Licence#

So we dont start adding features we cant use in 60 days, we might as well swap to the free licence now. Open the Licence page from the ‘settings’ menu
Splunk_LicenceMenu.png

Next, we want to change our licence group to ‘free’. Click “Change Licence Group” then select the ‘free’ group.
Splunk_Free.png

It will ask for a reboot, go ahead and you will be logged in again automatically - no users in the free version….

Bringing in Data - Snort3#

App: Snort alert for splunk Need universal forwarder installed to, for the log directory

Download the package and install as per the restricted user. SPLUNK_HOME is configurable, mine is /opt/splunkforwarder

Add a new reciever (used default 9997)

Configure forwarding with the outputs.conf ($SPLUNK_HOME\etc\system\local) https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/Configureforwardingwithoutputs.conf

Configure data to grab with the inputs.conf (both needed to be made)

Create “Snort” indexer. I did 10GB

restart splunk forwarder

cd $SPLUNK_HOME/bin sudo ./splunk restart

snort logging not happy? modify snort.lua for alert_full