Scribd
Upload
98 views7 pages

Splunk Installation

This document provides a comprehensive guide for installing and setting up Splunk on Kali Linux, detailing prerequisites, installation steps, and initial configuration. It covers starting Splunk, enabling auto-start, accessing the web UI, adding data, creating dashboards, and setting up alerts. Additionally, it includes instructions for adding remote machines using Universal Forwarder and offers security use-cases and performance tips for effective log management.

Uploaded by

wanderer's View
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
98 views7 pages

Splunk Installation

This document provides a comprehensive guide for installing and setting up Splunk on Kali Linux, detailing prerequisites, installation steps, and initial configuration. It covers starting Splunk, enabling auto-start, accessing the web UI, adding data, creating dashboards, and setting up alerts. Additionally, it includes instructions for adding remote machines using Universal Forwarder and offers security use-cases and performance tips for effective log management.

Uploaded by

wanderer's View
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Splunk Installation & Setup on Kali Linux (Ultra-Detailed Guide)

🧠 Prerequisites (Before You Begin)


 ✅ Kali Linux (64-bit version preferred, updated)
 ✅ Internet access for downloading Splunk
 ✅ Minimum System Requirements:
o 4 GB RAM minimum (8 GB+ highly recommended)
o At least 10–15 GB of free disk space
o Dual-core CPU or better
 ✅ Root or Sudo Privileges
 ✅ Browser installed to access Splunk Web UI

🔽 Step 1: Download Splunk Enterprise


1. Visit the official Splunk downloads page: 👉
https://www.splunk.com/en_us/download/splunk-enterprise.html
2. Click "Free Download" and choose:
o Product: Splunk Enterprise
o Platform: Linux 64-bit
o Package Type: .deb (Debian/Ubuntu compatible)
3. Accept license terms and copy the wget download link (you'll
use it in the terminal).
In Your Terminal:
wget -O splunk.deb
"<PASTE_DOWNLOADED_WGET_LINK_HERE>"

Example:
wget -O splunk.deb
"https://download.splunk.com/products/splunk/releases/9.2.0.1/linux/
splunk-9.2.0.1-a7d4c5f0ebf2-linux-2.6-amd64.deb"

⚙️Step 2: Install Splunk


Install the downloaded .deb package:
sudo dpkg -i splunk.deb
If you see any dependency errors, fix them:
sudo apt --fix-broken install
sudo dpkg -i splunk.deb # Re-run installation to confirm

🚀 Step 3: Start Splunk for the First Time


Navigate to the Splunk binary directory:
cd /opt/splunk/bin
Start the Splunk service:
sudo ./splunk start --accept-license
✅ You will be prompted to create:
 admin username
 Password (use a secure one, e.g., Admin@123)

🔁 Step 4: Enable Auto-Start on Boot


Ensure Splunk starts every time you reboot:
sudo ./splunk enable boot-start

🌐 Step 5: Access Splunk Web UI


Open your browser and go to:
http://localhost:8000
Log in using the admin credentials you just created.

📊 Step 6: Add Data to Splunk (Multiple Methods)


📁 Option 1: Upload Files
 Go to Settings > Add Data > Upload
 Drag and drop files like:
o /var/log/syslog
o /home/user/logs/errors.txt
 Select source type (e.g., linux_syslog, csv, access_combined)
 Select index (default is main, or create new one like linux_logs)
🗂 Option 2: Monitor Files & Directories in Real-Time
 Settings > Add Data > Monitor > Files & Directories
 Monitor common log folders:
/var/log/
/var/log/auth.log
/var/log/apache2/access.log
 Choose index and source type accordingly
🔁 Option 3: Monitor Network Ports (Syslog/UDP/TCP)
 Go to: Settings > Add Data > Monitor > TCP/UDP
 Example: Monitor UDP 514 for syslog traffic from remote
machines
 Configure your firewall/router accordingly

🔎 Step 7: Try Basic SPL (Search Processing Language) Queries


Search examples to explore data:
index=* | stats count by host, sourcetype
index=* error OR fail | table _time host source message
index=* | timechart span=15m count by sourcetype
index=* | top source limit=10
index=* "authentication failure" OR "unauthorized access"
🔍 Helpful Filters:
index=syslog source="/var/log/auth.log" severity!=info
index=* sourcetype=sysmon EventCode=1 | stats count by Image

📈 Step 8: Create Dashboards and Alerts


Dashboards:
1. Go to Dashboards > Create New Dashboard
2. Add Panels → Use SPL searches you saved
3. Customize layout: bar, pie, timechart, etc.
Alerts:
1. Run a search
2. Save As → Alert
3. Choose trigger (e.g., if result count > 5 in 5 mins)
4. Set actions:
o Email
o Webhook
o Run script

🔐 Step 9: Enable HTTPS (SSL)


Enable secure access to Splunk Web:
sudo ./splunk set web-port 8443
sudo ./splunk enable web-ssl
sudo ./splunk restart
Then access at:
https://localhost:8443

🧽 Step 10: Clean Uninstall (Optional)


sudo /opt/splunk/bin/splunk stop
sudo rm -rf /opt/splunk
sudo rm /etc/init.d/splunk

Adding a Remote Linux Machine (via Universal Forwarder)


✅ On the Main Splunk Server:
 Go to: Settings > Forwarding and Receiving > Configure
Receiving
 Add new port: 9997 (default for receiving forwarder data)
🧭 On the Remote Machine (Debian/Ubuntu):
1. Download Splunk Universal Forwarder:
wget -O splunkforwarder.deb "<download_link>"
sudo dpkg -i splunkforwarder.deb
2. Start and enable service:
cd /opt/splunkforwarder/bin
sudo ./splunk start --accept-license
sudo ./splunk enable boot-start
3. Connect forwarder to Splunk server:
sudo ./splunk add forward-server <SPLUNK_SERVER_IP>:9997
4. Add log files to monitor:
sudo ./splunk add monitor /var/log
sudo ./splunk add monitor /etc/passwd
sudo ./splunk restart
Verify in Main Splunk:
index=* host=<hostname> | stats count by sourcetype
You should now see remote logs flowing in!

Security Use-Cases to Build


 Brute force SSH login attempts:
index=* "Failed password" OR "authentication failure" | stats count
by src
 New user added to system:
index=* "new user" OR "useradd"
 Suspicious commands executed:
index=* sourcetype=sysmon EventCode=1 | search Image IN
("*ncat*", "*curl*", "*python*")
🔄 Useful Add-ons:
 Splunk Add-on for Linux
 Splunk Add-on for Suricata (EVE logs)
 Splunk Add-on for Windows (WinEventLog/Sysmon)
 Splunk Add-on for Zeek
 Splunk App for Enterprise Security (Advanced)
🔌 Integration Ideas:
 🧠 Wazuh → Forward logs via Filebeat or Syslog
 Zeek → Monitor /opt/zeek/logs/current/*.log
 🔥 Suricata → Forward eve.json via Filebeat or monitor directly
📤 Scheduled Reports
 Go to: Reports > New Report > Schedule for Email Delivery
 Export raw logs, statistics, dashboards
📈 Performance Tips
 Always specify index= at the start of SPL
 Use fields to limit field extractions
 Use tstats for large data aggregation
 Archive old logs using buckets/index retention

✅ Final Summary
✅ Splunk fully installed and running on Kali Linux
✅ Remote data ingestion configured using Universal Forwarder
✅ Logs searchable, visualized, and alert able
✅ Foundations for SIEM, threat detection, hunting, and more

You might also like