SIEM Tutorial - Part 3

4 minute read

SIEM

Hello, in Part 2, we covered what Splunk is, its components, explored its interface, and solve a small piece of the botsv3 dataset. Today, we are going to dive into another functionality in Splunk.

In this part, we will learn how to forward data from different machines to Splunk for analysis.

Lab Setup
Installing Splunk Universal Forwarder
Configuring Splunk to Receive Data
Configuring Linux Splunk Forwarder
Viewing Logs in Splunk Enterprise
Attacker Simulation: Directory Brute-Forcing
Creating Alerts for Suspicious Activity
Resources
Conclusion

Lab Setup

For this lab, we will need three virtual machines (VMs):

VM #1: for Splunk Enterprise (Windows VM)
VM #2: for Splunk Forwarder (Linux VM)
VM #3: for an attacker (Linux VM)

Note: If you don’t have a Windows VM, you can use your local host as the Splunk Enterprise machine.

Installing Splunk Universal Forwarder

Let’s start by installing the Splunk Universal Forwarder. As we will use Linux, we need to download one of these distributions.

splunk_forwarder_download_1

After downloading, let’s extract the files.

splunk_setup_1

Let’s navigate to the Splunk directory and start the setup by accepting the license agreement using:

./splunk start --accept-license

Note: You need to enter the login credentials as Splunk Enterprise.

splunk_setup_2

Configuring Splunk to Receive Data

Now that we’ve installed the Splunk Forwarder, we need to configure Splunk Enterprise (Windows VM) to receive data from the forwarder. Follow these steps to configure the port for receiving data:

Go to Settings -> Forwarding and Receiving.
Click on Add new under New Receiving Port.
Set the receiving port to 9997 (or any other port) and click Save.

splunk_forwarding&receiving

splunk_forward_port_1

splunk_forward_port_2

Port 9997 is the default for receiving forwarded data, but it can be configured differently.

Next, we need to create an index to store the logs coming from the Linux forwarder. To do this:

Go to Settings -> Indexes.
Click New Index and name it something like kali_logs.
Set the options and save.

splunk_index

Configuring Linux Splunk Forwarder

Now let’s go back to the Linux machine and configure it to send logs to the Splunk server using:

./splunk add forward-server <SPLUNK_ENTERPRISE_SERVER_IP:9997>

Let’s restart Splunk to apply the changes.

splunk_setup_2

If we go to the Splunk server, we can’t find any hosts because we haven’t monitored the logs. So, let’s monitor logs in the /var/log directory.

/var/log contains logs from the OS itself, services, and various applications running on the system. It’s like an Event Viewer in Windows

splunk_setup_3

Viewing Logs in Splunk Enterprise

After configuring the forwarder, let’s go back to Splunk Enterprise (Windows VM) to check if the logs are coming through.

splunk_data_summary

splunk_search_hosts

If we search for the kali_logs index, we can see all log files in /var/log here.

splunk_search_index

Attacker Simulation: Directory Brute-Forcing

On the Linux VM (Kali), install and start Apache2 and SSH services. These services generate logs that Splunk can monitor. Use the following commands:

kali_ip

linux_ports

Let’s check the connectivity and go to http://127.0.0.1/.

linux_webserver

Now, simulate an attack using dirb from the attacker machine (Linux VM) against the running Apache server.

dirb

If we go back to Splunk search and search for logs in /var/log/apache2/access.log, we can see dirb requests logged in /var/log/apache2/access.log

As we learned from the previous part, we look at interesting fields and search for them in a tabular format to have a better view.

splunk_search_SPL

Don’t forget, if you want to search for something you have searched for before, you can go to Search history.

splunk_search_history

Creating Alerts for Suspicious Activity

As we see above, an attacker tried to brute force directories, which may be suspicious activity for specific companies. So, we can create an alert for this suspicious activity.

splunk_alert

We can set an action to send an email if an alert is triggered.

splunk_alert_2

Resources

Tryhackme - splunkexploringspl

Tryhackme - splunklab

Tryhackme - splunkdashboardsandreports

Tryhackme - splunkdatamanipulation

Splunk Official Site

Tutorialspoint

Botsv3

Conclusion

In this tutorial, we successfully forwarded logs from a Linux machine to Splunk Enterprise, simulated an attack, and analyzed the logs using Splunk. As a summary:

Part 1: Introduction to logs, monitoring, and SIEM solutions.
Part 2: Introduction to Splunk, its components, and hands-on practice with a demo.
Part 3: Set up a home lab with Splunk Forwarder and analyzed attack data.

If you find this tutorial helpful, you can follow me on Twitter for more updates. Keep going!

Thanks for reading.

Abdelrahman Elshinbary