Knowledge Bank
  • 🔭About Us
    • 👋Welcome to Securescape!
  • 👶Fundamentals
    • 🖥️Operating Systems (WIP)
      • Introduction to Operating Systems
      • Processes and Process Management
        • 📠Processes
        • 🧵Threads
        • 📅Scheduling
      • Memory Management
        • Virtual Memory Management
      • Storage Management
      • I/O Management
    • 🐧Linux (WIP)
      • Introduction to Linux
      • Linux System Management
    • ⚡Programming (WIP)
      • 🔗Assembly
      • 💪C(++/#)
      • 🐍Python
      • 👑Nim
      • 🔨Bash
        • Introduction to Bash Scripting
        • Variables, Loops, and Port Scanner
    • 🚩Networking (WIP)
      • 📶Networking 101
        • 🕸️Networking Basics
        • 🛑Protocols
        • 🧓IPv4
        • 🧒IPv6
      • 🪡Packet Tracer
        • Interface
        • Connections
        • Creating Networks
        • Virtual LANS & Trunks
      • 🕸️Subnetting
      • 🕵️Network Security
    • ✍️Report Writing (WIP)
      • 🔍Research Skills
      • 🏗️Structuring a Report
      • 🗃️Creating Templates
  • 🦂General Security
    • 🗒️Methodologies
      • 🇭🇰OSSTMM
      • 🐝OWASP
        • Web Security Testing Guide
        • Mobile Security Testing Guide
      • 🦅NIST
      • 🥢PTES
      • ⛓️Cyber Killchain
    • 🍔Binary Exploitation
      • ir0nstone's Binary Exploitation Notes
    • 🎩Cheat Sheets
      • Enumeration
        • Network Scan
        • Vulnerability Scan
        • Web Scan
      • Exploitation
        • Page 1
        • Payloads & Shells
      • Post Exploitation
        • Lay of The Land
        • Persistence
        • Data Exfiltration
        • Pivoting
      • Command & Control
      • Disassembly
        • ☢️Radare2
        • 🥜GDB
      • CEH Cheatsheet
  • ⚔️Offensive Security
    • 💡Hardware Exploitation
      • Intro to Hardware
    • 🥷Red Team
      • 🦠Malware Development
        • Crow Malware Development
        • 🪡C# Malware
      • 🏭Offensive Development
        • 🔧Offensive DevOps
          • 🏷️GitLab
            • GitLab Setup
            • Simple Calculator Project
            • Making our CI/CD Pipeline
            • Build Artifacts
          • 🌆TeamCity
            • TeamCity Setup
            • Creating TeamCity Projects
            • Obfuscating Payloads
          • 🍷Jenkins (WIP)
            • Jenkins Setup
            • Creating Pipelines
            • Managing Projects
            • API Interaction
        • 🏗️Infrastructure Development (WIP)
          • 🎮Command & Control Infrastructure
            • 🤖Command & Control Anatomy
              • Command & Control Frameworks
              • Ⓜ️Metasploit Framework
                • Installing Metasploit
                • Metasploit Basics
                • Advanced Features
                • Metasploit Documentation
              • 🐲Mythic Framework
                • Installing Mythic
                • Malleable Command & Control
                • All About Agents
                • Services
                • Mythic Documentation
            • 🚥Traffic Redirection
              • Nginx
              • Amazon Web Services
              • Microsoft Azure
              • Google Cloud Platform
              • Cloudflare Workers
            • 🥷Covert Infrastructure
              • Ensuring Resiliency
              • Traffic Masking
              • Network Rules
          • 🎣Phishing Infrastructure
            • 📧Email Anatomy
            • 🐟Phishing Infrastructure Setup
            • 🚚Payload Delivery
            • 🚩Removing Red Flags
          • 🪄Infrastructure as Code
            • 🏝️Terraform
              • Interacting with Docker
              • Going to the Cloud
              • Hybrid Deployment
            • 🧊Pulumi
            • 🎼Ansible
          • ⚙️Infrastructure Automation
            • 🦴Structuring our Project
            • 🏭Automating Server Setups
            • 🎼Orchestrating our Infrastructure
            • 🔧CI/CD Integration
      • 🏙️Active Directory (WIP)
        • Active Directory Overview
        • Authentication
        • AD Lab
      • Red Team Operations - Joas Santos
  • 🛡️Defensive Security
  • 📻Software Defined Radios
    • ⚠️Disclaimer
    • 📡Baofeng
      • Programming
  • 🧑‍🔬Home Lab
    • 💨Virtualisation
      • 🔸Proxmox
  • 🏁Capture The Flag
    • 🧊HackTheBox
      • 👾Cyber Apocalypse
        • Cyber Apocalypse 2023
    • 🐤TryHackMe
      • 🎄Advent of Code
      • 🚪Rooms
        • 🐥Basic Pentesting
        • 👨‍💻Blog
      • 👟Paths
    • 🏳️Competitions
      • Nahamcon
        • Nahamcon 2023
          • Binary Exploitation
            • Open Sesame
      • 👁️Iris CTF
  • 🦺DRAFTS
    • GS
      • 📱Mobile Application Security
      • 👨‍🔬Reverse Engineering
      • 🌐Web Application Security
      • 📌Information Security
      • 🔒Cryptography
      • 🤫Operational Security
    • DS
      • 🧠Threat Intelligence
        • 🦌ELK Stack
          • 🤸Elasticsearch
          • 🏕️Kibana
          • 🦤SELKS
        • 🚓Yara
      • 🏹Threat Hunting
      • 🧬Malware Analysis
        • Fundamentals
      • 🔬Forensics
        • 📶Network Forensics
          • 🦈Wireshark
          • 🥟TCP Dump
        • 💾Memory Forensics
          • ⚡Volatility
        • 💽Disk Forensics
          • 🐕Autopsy
        • 🪟Windows Forensics
        • 🐧Linux Forensics
      • 🌲Security Operations
        • Intrusion Detection & Prevention
          • 🐛Splunk
            • Splunk Basics
            • Integrating Suricata with Splunk
          • 🐗Suricata
            • Intro to Suricata
          • 🐽Snort
            • Snort Basics
        • Security Information and Event Management (SIEM)
        • Security Orchestration, Automation and Response (SOAR)
    • HL
      • 🖥️Hardware
    • OS
      • 📶Network Exploitation
      • 🌩️Cloud Exploitation
Powered by GitBook
On this page
  • Introduction
  • Installation
  • Setting Up
  • Running Splunk on Reboot
  • Spelunking with Splunk
  • Interface
  • Using Splunk

Was this helpful?

Edit on GitHub
  1. DRAFTS
  2. DS
  3. Security Operations
  4. Intrusion Detection & Prevention
  5. Splunk

Splunk Basics

PreviousSplunkNextIntegrating Suricata with Splunk

Last updated 1 year ago

Was this helpful?

Introduction

Installation

  1. Create an account

  2. Go to downloads - Since I'm doing this on Debian, I'll get the .deb file

  3. wget the URL (or download normally) then

  4. sudo apt-get install curl (Curl is important)

  5. install it using sudo dpkg -i splunk_package_name.deb

mkdir Splunk
cd Splunk
dpkg -i splunk-9.0.4.1-419ad9369127-linux-2.6-amd64.deb 
(Reading database ... 40194 files and directories currently installed.)
Preparing to unpack splunk-9.0.4.1-419ad9369127-linux-2.6-amd64.deb ...
This looks like an upgrade of an existing Splunk Server. Attempting to stop the installed Splunk Server...
splunkd is not running.
Unpacking splunk (9.0.4.1) over (9.0.4.1) ...
Setting up splunk (9.0.4.1) ...
complete
root@IDS-SIEM:~/Splunk#

Confirm the installation using root@IDS-SIEM:~/Splunk# dpkg --status splunk

Setting Up

Now that we have Splunk installed, let's set up our credentials and take a look at the basic functionalities. To run the web server, go to /opt/splunk/bin and run ./splunk start

# Read the license agreements
# Set up admin credentials
# Open the IP in your browser

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: admin
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password: 
Please confirm new password: 

Waiting for web server at http://127.0.0.1:8000 to be available................ Done

If you get stuck, we\'re here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://IDS-SIEM:8000

# Added an alias to my bashrc profile so I can start it with a simple command
root@IDS-SIEM:/opt/splunk/bin$ export "alias start_splunk='/opt/splunk/bin/splunk start'" >> ~/.bashrc

You can now access the web server from your device - I'll make a DNS pointer to it so I don't have to memorise the IP.

Linux: /etc/hosts
Windows: C:\Windows\System32\drivers\etc

You should be met with this dashboard if you've followed the steps correctly.

Make sure to assign enough disk space to the container - you may need more or less depending on your traffic/activity.

Running Splunk on Reboot

If you are doing this on Proxmox, you might have a situation where you have to restart your cluster or server. To factor for this, I'll be using Cron to start up Splunk whenever the container is launched. You can also set up the containers to run when the cluster is up which will be shown below

Container > Summary > Start on Boot > Check the box

cd /opt/splunk/bin
realpath splunk
/opt/splunk/bin/splunkbash
crontab -e
# Add this to the last line
@reboot /splunk/bin/splunk start >/dev/null 2>&1
# Reboot the container to check if it works

# ALTERNATIVELY - if you aliased the command
@reboot start_splunk >/dev/null 2>&1

Spelunking with Splunk

Interface

Applications Directory

Configure or use your installed applications. We will be using this in the next chapter.

Product Tours

This is where you can go through a short tutorial on how to use Splunk, upload data, and sort out tables etc. Very useful when starting out.

Splunk Apps

This is where you can view the Splunk marketplace for applications.

Dashboard

This is where you can add important monitors that you might want to see when you start up Splunk.

Using Splunk

Loading Data

Filtering Logs

🦺
🌲
🐛
What's in this manual - Splunk Documentation
Documentation if you need it
Logo
687KB
VPNlogs.json
Taken from THM
Confirming Installation
Splunk Dashboard
Drawing