Hello everyone !! In this blog, I am going to share my experience on how to manage the SIEM tool - Splunk. I will start from installing Splunk and then move on as we progress. Basically, this blog starts from scratch, I will update it as I go through the project.
First, I downloaded Splunk Enterprise Trial Edition - Splunk Enterprise
Then, I planned to install Splunk on an Azure VM. So, I created a VM and then installed Splunk. Personally, I didn’t follow any tutorial to install Splunk, I just followed the instructions and did it. If you think, you need a tutorial, check this out - Youtube, might be helpful for you.
Now I came to know about Splunk Universal Forwarder. What is this? On a high level, this forwarder forwards all event log data to a remote machine in which the Splunk Enterprise server is installed. So, since my Azure VM is not on my home network, I installed a Universal Forwarder on my PC. While installing the Universal Forwarder, it will ask for the server’s IP address and port. So you must configure it in Splunk Enterprise(Azure VM).
Download Splunk Universal Forwarder
I followed this tutorial, which helped me partially - Johnny Netsec
In the Splunk Enterprise(Azure VM), go to Settings > Forwarding and Receiving
Click Configure Receiving
Click New Receiving Port
Add a port
Once the port has been configured, enter the required details during the Universal Forwarder Installation and complete.
So now Universal Forwarder has been installed and is ready to go.
Since we are using an Azure VM, all inbound connections are blocked by default except the RDP, SSH. So we need to add an inbound rule for that particular receiving port, that we configured earlier in our Splunk Enterprise - Azure VM (with TCP as protocol). Sometimes it is necessary to turn off the Windows Firewall too.
Once you are done with this, you need to set up few more things to actually get the data feed from my PC to the Splunk Enterprise (Azure VM).
Once this is done, you are ready to see the events.
- Go to Home > Click on Search on the left side
- In the search box, enter the name of your PC which has Universal Forwarder installed ( which forwards the event data ). Make sure to change the mode to Verbose mode
Now you will be able to see the data forwarded from your PC in the Azure VM.
Some of the resources that have helped me troubleshoot issues so far are,
Now we are all set !! In the next blog, we will try out Splunk’s features.