top of page
  • Jv Cyberguard

Cybersecurity Home Lab - Deploying Splunk

Updated: Jul 18

Installing Splunk on an Ubuntu Server

Part 1- Configuring pfsense

Part 2- Configure Security Onions IDS

Part 3- Building AD Lab (Victim Domain)

Part 4- Going hybrid - Connecting your AD to Azure AD

Part 5- Installing Splunk on an Ubuntu Server

Part 6a- Ingesting logs in Splunk

Part 6b- Ingesting logs in Splunk (Troubleshooting & Network Migration)

Part 5- Installing Splunk on an Ubuntu Server

We will now install Splunk on an Ubuntu Server for security monitoring. Use the manual server installation to get the iso.

When going through the wizard give the machine a name such as Splunk or SIEM.

For disk space use the following.

We will click customize hardware and remove the sound card, printer, and USB connection.

Select try and install ubuntu server once it is powered on. When you get to the setup follow the screenshots below.

For keyboard config accept what works for you.

For the choose type of install page, select the default install not the minimized one.

Accept default here. You will notice that the IP assigned to the interface does not match our topology but that is fine for now this will get addressed at length later.

No proxy needed.

For Configure Ubuntu archive mirror - accept default.

Then in the below step accept default as well

Accept default on the storage configuration page too. Then finally confirm the "destructive action". Essentially it will begin the install.

The next step is profile setup. Simple enter the information needed.

Select the following

It will begin the install on the following page.

After it reboots. It may prompt you to remove cdrom. Right click the VM and unmount the install disk.

We will then login and use 'tasksel to allow us to install a gui on the server. Run the below command. At the y/n prompt select y.

Next we will install the ubuntu desktop using sudo apt install ubuntu-desktop.

It may take a while. Press enter when the GUI comes up and then enter reboot

Upon reboot you will now have a graphical user interface on your ubuntu server

Accept the defaults in the wizard.

If your machine does not have Firefox. You want to go ahead and install it.

Navigate to and click on free Splunk. Be careful not to download the cloud platform trial. We want to install it on the server so find the 60 day Splunk Enterprise for free trial. Then fill out the form for downloads.

Download the below.

When it is finished downloading we can now go into terminal and get this unzipped and installed on our machine.

To unzip we will use tar. Specifically the command below then the file name and then press enter. If you want more insight on what each of the switches mean enter tar --help separately.

Tar -xvzf splunk

After it unzips, then there will be a Splunk folder in downloads, navigate to it.

Once you are in bin then run. Tip: press spacebar to scroll to the bottom after the terms come up.

Agree to the licensing and then create admin creds for Splunk.

When it is done, you should see the following

Enter the URL they gave in the browser and boom! Login with the creds that you set.

This is what the home screen looks like.

In the next part, we will get windows events from the machines on the victim network ingested into Splunk using the universal forwarder.

Part 6- Ingesting logs in Splunk

505 views0 comments

Recent Posts

See All
bottom of page