Installing Splunk - serate-actual/sec350final GitHub Wiki

Summary

Note: if you are having issues with Splunk timing out, add more cores and RAM.

Installing splunk

  • Use wget to pull down the file from the Splunk site onto log01
  • Use rpm to install the package
    • rpm -ivh splunk-8.0.5.rpm
  • Start splunk
    • cd /opt/splunk/bin
    • ./splunk start --accept-license
    • Note which port splunk's web interface is running on. Usually 8000
  • Set splunk to run on boot
    • ./splunk enable boot-start
  • Allow splunk through the firewall, and selinux, if needed
  • Test the functionality by visiting the log01 machine's port 8000 with a web browser on mgmt01

Setting up Splunk indices

  • Create an index called firewall-drops
  • Create an index called ossec

Setting up ingestion of Firewall Drops

  • Create a Data input that takes in Local Files'
  • Select the source as the /var/log/remote-syslog folder we previously created
  • Set the source type to linux_messages_syslog
  • Set the host to Segment in Path, and select 4 as the segment number

Setting up ingestion of OSSEC logs

  • To do this, you have to edit /var/ossec/etc/ossec.conf to add a syslog_output section
<syslog_output>
  <server>127.0.0.1</server>
  <port>515</port>
</syslog_output>
  • Open port 515 with firewall-cmd
⚠️ **GitHub.com Fallback** ⚠️