◼️
General Knowledge
  • Introduction
  • Building a Home Lab
  • Certification Roadmap
  • Basics
    • Basic Networking
    • Basic Gigamon Configuration
  • Firewalls
    • PFSense
    • Cisco ASA
  • Hardware Setup and Device Networking
    • Cisco Device
    • MaxVision Servers
    • Gigamon
  • Reporting
    • Network Activity Report (NAR)
    • Network Change Request (NCR)
    • Redmine
  • DCO Tools
    • Splunk
      • Threat Hunting with Splunk
    • Security Onion 2.4
      • Threat Hunting with Security Onion
    • OsQuery
  • Methodology
    • Gather Information
    • Gather Documents
    • Prepare Equipment and Team Procedures
    • Conduct Network Reconnaissance
    • MITTRE ATT&CK Framework
    • Considerations when Recommending Remedial Action
    • Document Everything
    • Defensive Cyber Operations Checklist
  • Requirements
    • Power Requirements
    • Port Density Requirements
    • Opened Port Requirements
  • Building a Virtual Testing Environment
    • Identify Requirements
    • Gather Equipment and tools
    • Initial Draft
    • Building the Environment
    • Example
Powered by GitBook
On this page
  • Introduction
  • Pre-Installation
  • Roles
  • Installation
  • Installing Splunk Universal Forwarder Agent
  1. DCO Tools

Splunk

Basic overview of Splunk

PreviousRedmineNextThreat Hunting with Splunk

Last updated 1 year ago

Introduction

Splunk is a tool to analyze data produced by many different types of systems. It allows for monitoring, searching, analyzing, and visualizing the data in ways that would be beneficial to you or your team. We utilize Splunk as a SIEM solution. Here, we will go over the basic way we install Splunk, common deployment architectures, and how to install the Splunk agent. Below is the documentation for Splunk

Pre-Installation

Splunk is built to be modular in that there are many different roles a Splunk server can hold, and if you need another server, you can connect it to your cluster and it will seamlessly integrate within the cluster. The most basic setup for Splunk utilizes one server holding all the roles required. This is only recommended for very low throughput networks with few analysts operating on the server. Before we can install Splunk, the roles of the server must be outlined below

Roles

Forwarder - At the very lowest level you have your forwarder. This is the agent installed on the machines you want to monitor and this will forward your logs to indexers

Indexers - When the logs reach an indexer, the server will parse the information from raw data into logs that are indexed. An index is a bucket that follows a blueprint to parse data. For instance, Sysmon logs can be sent into a Sysmon index that will know how to transform the data into fields and queryable parameters and place it in the bucket. This will allow the analysts to easily find information. Once data is indexed it remains here.

Search Head - When an analyst wants to search for information they do so through the search head. The search head will request the information from the indexer and display it for the analyst

Deployment Server - This is a server where apps or additional tools can be pushed to the forwarders through. It allows for centralized management of forwarders without access to the physical machine they are on

There are many other roles such as cluster captain, load balancer, etc. But for the purposes of this guide, we will leave those out as that is more advanced for what is required here. I highly recommend you read the documentation on what each server role is and when to use it.

Installation

The method we use to install is a script that creates one server that acts as an indexer, and a deployment server in one. Simply git-clone the repository linked below and run the install script.

This will be added to GitHub soon. We are currently working on one that has all the added packages

This deployment method may not be sufficient for you if your environment is much larger. Please reference the documentation below and the image for the recommended servers for each size of the network.

Installing Splunk Universal Forwarder Agent

Once you've identified the type of machine you are installing Splunk Universal Forwarder on and loaded the zip / gzip / elf, etc onto the machine, follow one of the respective guides below for installing the UF on that machine

Windows -

Linux -

Solaris -

MAC OS X -

FreeBSD -

AIX -

https://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller
http://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/Installanixuniversalforwarder#Install_the_universal_forwarder_on_Linux
http://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/Installanixuniversalforwarder#Install_the_universal_forwarder_on_Solaris
http://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/Installanixuniversalforwarder#Install_the_universal_forwarder_on_Mac_OS_X
http://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/Installanixuniversalforwarder#Install_the_universal_forwarder_on_FreeBSD
http://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/Installanixuniversalforwarder#Install_the_universal_forwarder_on_AIX
GitHub - Silvin84/dco: Defensive Cyber Operations Tools and documentationGitHub
Logo
About Splunk Enterprise - Splunk Documentation
Splunk Documentation
Logo
Summary of performance recommendations - Splunk Documentation
Splunk Server Recommendations
Logo
https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Whatisdistributedsearchdocs.splunk.com
Splunk Distributed Search Documentation
Splunk Server Recommendations:
https://docs.splunk.com/Documentation/Splunk/9.0.4/Capacity/Summaryofperformancerecommendations