Always Learning

Learning Splunk Enterprise

Splunk Enterprise is a great way to practice SIEM

Security Information and Event Solutions

Step-by-step how to install Splunk Enterprise on an Archlinux Operating system.

swappy-20250323-133527.png

  • Un-archive the file (splunk-9.4.1-e3bdab203ac8-linux-amd64.tgz)
tar zxvf splunk-9.4.1-e3bdab203ac8-linux-amd64.tgz
  • Go in the directory splunk
 
cd splunk/bin
  • Start up Splunk and log into the splunk Web UI
sudo ./splunk start

The output should look like this:

If you get stuck, we're here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://localhost:8000

Open up any webbrowser - here I will open up FireDragon from my system. Which is just a locked down Firefox clone.

swappy-20250323-134849.png

If this is the first time you are doing this , you will have to provide a user and password.

After logging in the page should look something like this:

swappy-20250323-135325.png

  • Adding logs or data

In order for splunk to actually work and have some live data, we can click on Settings --> Add Data at the top of the menu

swappy-20250323-135631.png

Click on Monitoring at the bottom and the following page should show up: swappy-20250323-135915.png

Click on Systemd Jounald input for splunk swappy-20250323-140135.png

In the name form on the right hand side put in a name for your logs, i.e. systemd-logs then hit next at top.

Hit Next and save or ok then go back to search and type in

source="localhost" or domain  systemd"

swappy-20250324-113812.png

In the next post we will talk about how to search and use splunk fields to parse out information.

<< Back