Splunk SIEM Deployment and Configuration

I decided to install a Splunk server on my Homelab today and wanted to talk about my reasoning for this as well as its purpose. Splunk is a very popular data ingestion and log management tool commonly used in Cybersecurity as a SIEM. With goals of becoming a SOC Analyst, I want to become proficient in Splunk.

The main reason I am installing Splunk is for training. I started training for the Splunk Core User Certification. This certification provides me with the base level knowledge and practices that are essential to operate Splunk as a Cybersecurity professional. The second reason is to get more experience monitoring network and security events in my HomeLab.

I already installed and configured an instance of ELK stack in the cloud to provide security and log monitoring across my HomeLab, but that was set up in the cloud using a free trial. That free trial is set to expire, so I decided to deploy a permanent SIEM solution to my HomeLab.

I will be installing Splunk Enterprise onto an Ubuntu VM in my Homelab, as well as installing the Splunk universal forwarder (used to forward logs from client computers to the Splunk server) onto all of my Linux servers and Windows workstations.

I followed the Splunk documentation on the server installation and got my server set up. Upon logging into the web GUI I was met with the home screen.

Now it was time to add the universal forwarders on all of my servers and workstations to forward data to my SIEM. For the Linux machines I installed it using the command line interface. In the CLI I set up the forwarders to send all data from the /var/logs directory to my Splunk server. Adding this directory will allow me to monitor the logs from each Linux server. I was having issues getting my forwarder to connect with my Splunk server, but I ended up fixing this by setting an allow port 9997 rule on the firewall of the Splunk server.

With the Linux forwarders setup, I focused in installing the forwarders on my Windows machines. This was fairly easy, as all I had to do was download the executable from Splunk and configure what server to send the data to.

I am going to end this post now with the universal forwarders configured correctly and sending data. I am going to document the creation of my fully functional Splunk SIEM over multiple posts so look out for the next entries. My next goal is to focus on creating various security dashboards and adding a universal forwarder to my OpnSense router and firewall.