Class 5 Lab 3 ‐ Splunk Deployment - Justin-Boyd/CIT-Class GitHub Wiki

Task 1: Ubuntu Installation

Step 1

  • Perform a fresh installation of Ubuntu Linux by following the instructions in the Ubuntu_20-04_r1 Installation Guide.

Step 2

  • Select the Ubuntu VM and click Settings.

Step 3

  • Navigate to Network, attach the adapter to Internal Network named VulnCorp Network, and set Allow VMs for the promiscuous mode. Then click OK.

Task 2: Install Splunk Enterprise

Step 1

  • Make sure the pfSense VM is running and start the Ubuntu VM.

Step 2

  • Click Activities, search for terminal, and open it.

Step 3

  • Execute the command ip a.
  • Note: If the machine did not receive an IP address, it should be configured manually.

Step 4

  • Click the arrow icon at the top right corner of the VM. Expand Wired Connecting (which may appear as Wired Off) and click Wired Settings.

Step 5

  • Click the wired settings icon.

Step 6

  • Navigate to IPv4 and configure the following settings:
    • Select Manual
    • IP address: 10.0.0.3
    • Netmask: 255.0.0.0
    • Gateway: 10.0.0.1
    • DNS: 10.0.0.1
  • Click Apply to update the changes.

Step 7

  • Drag the provided file splunk-8.0.6-152fb4b2bb96-linux-2.6-amd64.deb to Ubuntu's Downloads directory.

Step 8

  • In the terminal, run the command:
sudo dpkg -i ~/Downloads/splunk-8.0.6-152fb4b2bb96-linux-2.6-amd64.deb

Step 9

  • Run the command:
sudo /opt/splunk/bin/splunk
  • start to start the Splunk daemon

Step 10

  • Close the agreement message by typing q, and then agree by typing y.

Step 11

  • When asked for the administrator username, type admin and for the password, type Aa123456.

Step 12

  • Note the Splunk web interface URL presented at the end of the process. It will be used for authentication to the Splunk console.

Step 13

  • Before launching splunk in the web application, we are going to make a change in its retention to only 72 hours of data by first running
sudo nano /opt/splunk/etc/system/default/indexes.conf.
  • Students will scroll down until they reach the first frozenTimePeriodInSecs = 188697600 just under # Index specific defaults and set it to the value of 259200.
  • Note: The reason for this change is to alter the default retention logs of Splunk.

Step 14

  • Open Firefox and browse to the provided URL, or 127.0.0.1:8000.
  • Log in with username admin and password Aa123456.

Step 15

  • In the "Helping You …" message, click Got It!.

Step 16

  • Close the "Important changes…" window.

Step 17

  • Click Add Data, and skip the tour suggestion.

Step 18

  • Scroll down and click Monitor.

Step 19

  • Select Files & Directories, and then select Browse.

Step 20

  • Find the directory var, expand it, click log, and then click Select.

Step 21

  • Click Next.

Step 22

  • Click Review in the Input Settings page.

Step 23

  • Click Submit in the Review page.

Step 24

  • To verify that Splunk is able to view the logs, use the command
sudo adduser testlog
  • set the password password1, and skip the rest of the information.

Step 25

  • In the Splunk web interface, click apps and then Search & Reporting. Skip the tour suggestion.

Step 26

  • Enter testlog in the search field, and click the search icon. Scroll down and note the logs regarding the user creation.

Task 3: Install Splunk Universal Forwarder

Step 1

  • Start your Windows 10 machine, drag the file splunkforwarder-8.0.6-152fb4b2bb96-x64-release to the desktop, and double-click it.

Step 2

  • Accept the license agreement and click Customize Options.

Step 3

  • Click Next in the window for selection of the installation folder

Step 4

  • Click Next in the certification configuration window.

Step 5

  • Make sure the forwarder is installed as Local System and click Next.

Step 6

  • Select Security Log and click Next.

Step 7

  • For creation of the administrator, use the username splunk and password splunk123. Then click Next.

Step 8

  • Use the command ip address in your Ubuntu machine and write down the IP address.

Step 9

  • Use Ubuntu's IP address and port 8089 in the Unuversal Forwarder as the deployment server. Then click Next.

Step 10

  • Enter the same IP address for the Receiving Indexer, but with port 9997, and click Next.

Step 11

  • When the configuration ends, click Install to start the installation.
  • Click Yes when an alert requests to allow Splunk to install software.

Step 12

  • Click Finish when the installation ends.

Step 13

  • Search for windows firewall in the search bar and open it.

Step 14

  • Click Turn Windows Firewall on or off.

Step 15

  • Make sure it is turned off, and click OK.

Task 4: Configure Splunk Receiver

Step 1

  • In the splunk web interface (Ubuntu machine) click Settings and then Forwarding and receiving.

Step 2

  • For Configure receiving, click Add new.

Step 3

  • Set the port to 9997, and click Save.

Step 4

  • Click Settings in the menu and then click Add Data.

Step 5

  • Scroll down and click Forward.

Step 6

  • Click the computer name DESKTOP-* located under the available hosts, to add it to the selected hosts. Name the new server class PC1 and click Next.

Step 7

  • Click Local Event Logs and then add all, to add all available items to the selected items. Then click Next.

Step 8

  • Click Review in the Input Settings window.

Step 9

  • Click Submit in the Review window.

Step 10

  • Click Apps and then Search & Reporting.

Step 11

  • Type the following query in the search bar and click the search icon:
sourcetype="wineventlog:security" authentication

Step 12

  • Note the results displayed from Windows 10 logs.