Task: Configure Alert Forwarding

Step 1

• Start your pfSense virtual machine and then your Ubuntu virtual machine (log in to your user, not the testlog user).

Step 2

• Click Activities, search for terminal, and open it.

Step 3

• Use the command ip address and write down the machine's IP address

Step 4

• Use the command

sudo /opt/splunk/bin/splunk

• start to verify that the Splunk daemon is running.

Step 5

• Open the Firefox browser by clicking its icon in the menu on the left and browse to [Ip Address of pfSense] to access the pfSense management panel.

Step 6

• Click Advanced, and then Accepts the Risk and Continue.

Step 7

• Log in with the username admin and password Aa123456!

Step 8

• Click Status and then System Logs.

Step 9

• Click Settings, and select Enable Remote Logging towards the bottom of the page.

Step 10

• More options should appear below. Set the IP address of your Ubuntu machine with port 514, and select Everything for remote syslog contents.
• Then click Save at the bottom of the page.
• Note: This will enable remote logging in pfSense to forward log data to Splunk.

Step 11

• Open a new tab in the browser and browse to your Ubuntu's IP on port 8000. Sign in with user admin and password Aa123456!

Step 12

• Click Add Data.

Step 13

• Scroll down and click Monitor.

Step 14

• Click TCP/UDP, and in the window that appears, click UDP and set the port to 514. Then click Next.

Step 15

• In the Input Settings window, click the Select Source Type drop-down menu, type snort, and select it. Then click Review.

Step 16

• Click Submit to finish the configuration, so that Splunk will listen to incoming log data.

Step 17

• In the terminal, run ping -c 5 8.8.8.8.
• The -c flag counts the number of packets to send.

Step 18

• In the Splunk web interface, click Apps and then Search & Reporting.

Step 19

• Type the query sourcetype="snort" AND 8.8.8.8, and click the search icon to search for the ping event.
• Note the logged information passed from Snort in pfSense.