Splunk Enterprise is a great way to practice SIEM
Security Information and Event Solutions
Step-by-step how to install Splunk Enterprise on an Archlinux Operating system.
-
Create an account with Splunk first. Splunk login and or register
-
Download splunk and save to your local host (~/Downloads) is fine.
- Un-archive the file (splunk-9.4.1-e3bdab203ac8-linux-amd64.tgz)
tar zxvf splunk-9.4.1-e3bdab203ac8-linux-amd64.tgz
- Go in the directory splunk
cd splunk/bin
- Start up Splunk and log into the splunk Web UI
sudo ./splunk start
The output should look like this:
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://localhost:8000
Open up any webbrowser - here I will open up FireDragon from my system. Which is just a locked down Firefox clone.
If this is the first time you are doing this , you will have to provide a user and password.
After logging in the page should look something like this:
- Adding logs or data
In order for splunk to actually work and have some live data, we can click on Settings --> Add Data at the top of the menu
Click on Monitoring at the bottom and the following page should show up:
Click on Systemd Jounald input for splunk
In the name form on the right hand side put in a name for your logs, i.e. systemd-logs then hit next at top.
Hit Next and save or ok then go back to search and type in
source="localhost" or domain systemd"
In the next post we will talk about how to search and use splunk fields to parse out information.
<< Back