Splunk in My Homelab: Part Two

Kicking off the second part of setting up Splunk in my home lab, I will be installing the Splunk app and a universal forwarder on the Windows 2012 server from which I want to index logs. If you do not have a Splunk server up and running in your lab, check out my first post “Splunk in My Homelab: Part One” at https://jamey.info/splunk-in-my-homelab/.

From your Splunk web console choose Splunk Apps.

Now search the apps using Windows as your search term. The official Splunk app is called Splunk Addon for Microsoft Windows. Installing this prepares Splunk to accept machine data from a Windows source.

After selecting install, you will be prompted to login to Splunkbase using your Splunk account and then prompted to restart Splunk. Once Splunk is back up and running, log back into the server. Next we will be configuring a listening port to receive the Windows data. From the Splunk home screen, click settings, then choose “forwarding and receiving”.

Now click the blue hyperlink “Configure receiving”.

Enter the port number on which you want Splunk to listen. I chose the default Splunk listening port 9997.

 

Now the Splunk server is prepared to receive data to index. Next, move to installing the forwarder on the windows server you want to collect data from.

First, go to https://www.splunk.com/en_us/download/universal-forwarder.html and download the universal forwarder that is appropriate for the OS you will exporting data from. I chose Windows 64-bit. Splunk recommends not installing the 32-bit version on 64-bit machines.

Now run the MSI locally on the Windows server. Accept the license and choose customize options.

I ran it as a local system account. If you have an internal domain, check out this link for best practices on using domain accounts. Link

Choose what data you want exported. I chose a lot. Be aware that the system log on Windows will generate a ton of data.

Finally, I pointed it at my Splunk server. If you used anything besides the default port when setting up the listener on the Splunk server, then enter it in the box. Otherwise, leave it blank.

Now navigate to your search app and host=”windows server name”. It may take a few minutes to populate. Now that we have everything up and running,  we will be focusing on Splunk search in the next post.

 

 

Splunk in My Homelab: Part One

Over time my homelab has grown to over 40 virtual machines spread over three subnets. All the boxes are active and I want more insight into what is going on, so I’m adding a Splunk server. Over the next three blog posts, I’ll walk you through setting up and searching Splunk. This first post is going to cover registering for, downloading, and installing the Splunk software. The next post will cover installing the forwarders giving Splunk something to index. Lastly, the third post will cover adding apps and querying data.

Before we begin, lets quickly look at the parts of Splunk. The layer closest to us is the search head. This is the front end that we interact with via search and the Splunk web UI. The indexer is the heart of Splunk. The indexer receives data, compresses it, and then indexes it. The last part is the forwarder. This is a Splunk instance on an end point that generates machine data. The forwarder forwards the data to the indexer. Typically you would separate the roles, but because of the small amount of data and for simplicity sake, I’m putting search head and indexer on one box.

 

First go to splunk.com and register an account. Its free, but be aware they may ask to validate your email, in case you like to use throw away ones. Once logged in, click the big green free Splunk button. I chose the Splunk enterprise server free download.

 

I’m using Ubuntu 16.04 for my Splunk server, so I will chose Linux. At this point, you can download the .deb file, but as the second screen shot shows, you can also use wget to download the bits right to your box. That is what I will be doing. You’ll also notice that I pointed out the data limitation. This is not an issue for me since I’m just curious about my traffic and don’t actually need more than that. But if you want more and are willing to follow up, Google “Splunk Developer License.”

After running wget from the screen shot above run the following:

#Install splunk enterprise server
dpkg -i splunk-6.6.2-4b804538c686-linux-2.6-amd64.deb
#If you receive any errors looking for dependencies run this
sudo apt-get install -f
#Now start the splunk server
sudo /opt/splunk/bin/splunk --accept-license
#Finally set splunk to start on boot
sudo /opt/splunk/bin/splunk enable boot-start

Now navigate to http://splunkserver:8000.  Success!!!

In the next post, I will be installing a universal forwarder which will provide some data that I will later query in part three of this series.