Installing Splunk on an Ubuntu Server
Part 5- Installing Splunk on an Ubuntu Server
Part 5- Installing Splunk on an Ubuntu Server
We will now install Splunk on an Ubuntu Server for security monitoring. Use the manual server installation to get the iso.
When going through the wizard give the machine a name such as Splunk or SIEM.
For disk space use the following.
We will click customize hardware and remove the sound card, printer, and USB connection.
Select try and install ubuntu server once it is powered on. When you get to the setup follow the screenshots below.
For keyboard config accept what works for you.
For the choose type of install page, select the default install not the minimized one.
Accept default here. You will notice that the IP assigned to the interface does not match our topology but that is fine for now this will get addressed at length later.
No proxy needed.
For Configure Ubuntu archive mirror - accept default.
Then in the below step accept default as well
Accept default on the storage configuration page too. Then finally confirm the "destructive action". Essentially it will begin the install.
The next step is profile setup. Simple enter the information needed.
Select the following
It will begin the install on the following page.
After it reboots. It may prompt you to remove cdrom. Right click the VM and unmount the install disk.
We will then login and use 'tasksel to allow us to install a gui on the server. Run the below command. At the y/n prompt select y.
Next we will install the ubuntu desktop using sudo apt install ubuntu-desktop.
It may take a while. Press enter when the GUI comes up and then enter reboot
Upon reboot you will now have a graphical user interface on your ubuntu server
Accept the defaults in the wizard.
If your machine does not have Firefox. You want to go ahead and install it.
Navigate to splunk.com and click on free Splunk. Be careful not to download the cloud platform trial. We want to install it on the server so find the 60 day Splunk Enterprise for free trial. Then fill out the form for downloads.
Download the below.
When it is finished downloading we can now go into terminal and get this unzipped and installed on our machine.
To unzip we will use tar. Specifically the command below then the file name and then press enter. If you want more insight on what each of the switches mean enter tar --help separately.
Tar -xvzf splunk
After it unzips, then there will be a Splunk folder in downloads, navigate to it.
Once you are in bin then run. Tip: press spacebar to scroll to the bottom after the terms come up.
Agree to the licensing and then create admin creds for Splunk.
When it is done, you should see the following
Enter the URL they gave in the browser and boom! Login with the creds that you set.
This is what the home screen looks like.
In the next part, we will get windows events from the machines on the victim network ingested into Splunk using the universal forwarder.
Comments