Building a Splunk lab [part 1]

Introduction
This is a mini walkthrough on creating your very own personal Splunk lab. Splunk is a great tool with almost unlimited possibilities of use, it also makes one epic SIEM. I will be writing a few posts of this nature, so keep checking back. Head over to http://www.splunk.com and click on the great big FREE SPLUNK button to get started, then follow my guide below in order to get it running.


Notes:

• Code snippets will be surrounded by <code>*</code> tags
• Commands will be surrounded by <command>*</command> tags


Pre-requisites

Download CentOS 7 x64
(http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1503-01.iso)

Register for free Splunk and download Splunk Enterprise RPM  
(http://www.splunk.com/en_us/download/spelunking-enterprise.html#)

Download & Install VirtualBox  
(http://download.virtualbox.org/virtualbox/4.3.26/VirtualBox-4.3.26-98988-Win.exe)


Creating the VM

1. In the Virtual Box application window, select ‘Machine > New’ from the main navigation bar.

2. Give your new virtual machine a name. To appease my OCD tendencies, I usually name VMs something like “Splunk 6.2 – CentOS 7 – x64”.

3. Select “Linux” and “Red Hat (64 bit)” from the ‘Type’ and ‘Version’ drop down menus. Select ‘Next’.

4. The amount of memory you are able to assign to your Splunk VM depends on the host you’re running it on. It is recommended that you give the VM at least 1GB (1024MB) of memory. Once you have chosen the amount, select ‘Next’.

5. Leave the default option of “Create a virtual hard drive now”, select ‘Create’.

6. Select your preferred disk extension or leave as default of VDI. Select ‘Next’.

7. Leave the default value of “Dynamically allocated” for the disk type. Select ‘Next’.

8. Using the slider, select the size of the VM’s hard drive. Allocate the VM at least 30GB. Select ‘Create’.

9. The VM container has now been created. In the Virtual Box application window, double click the VM that was just created.

10. When prompted to select a virtual optical disk, select the folder icon on the left of the window and navigate to the CentOS ISO that was downloaded earlier.

11. Select ‘Start’.


Installing CentOS

1. At the CentOS 7 boot menu, select “Install CentOS 7”. The installer will load all the required files.

2. Select your language preference at the welcome screen and select ‘Continue’.

3. Modifications to time zones / keyboard layouts can be made on the “Installation Summary” page.

4. Select “Software Selection” and check the radial button alongside “Infrastructure Server”. Select “Done”.

5. Select “Network & Hostname” and check the slider button to enable networking. Static networking can be configured by clicking “Configure…”. If not configured manually, the VM will be assigned an IP address via DHCP. Select “Done”.

6. Select “Installation Destination” and then select “Done” to confirm automatic partitioning.

7. Select “Begin Installation”.

8. At the next configuration window, you will be prompted to set a Root password and create any additional users.

9. Once the root password has been set, select “Finish Installation”. Once complete, select “Reboot”. The vm will now restart and you are ready to progress on to the next step.


A Few Config Changes

– Change the hostname of the CentOS VM, issue the following command :

  <command> hostname SPLUNKVM </command>

– Allow port 8000 through the firewall, issue the following:

  <command> firewall-cmd –permanent –add-port=8000/tcp </command>

  <command> firewall-cmd –reload </command>

  <command> firewall-cmd –list-all </command>


Downloading Splunk

1. Open a web browser and navigate to http://www.splunk.com. Select “FREE SPLUNK” at the top of the page. You may be prompted to create an account.

2. On the download page, select “Free Download” beneath the “splunk>enterprise” header.

3. Select “linux” beneath the operating system header.

4. Select the 64-bit release. As we are using CentOS, select the rpm installer.

5. The download will begin automatically. However, we will be taking another approach. On the right hand side of the page, select “Get this URL” beside “Got wget?”.

6. Go back to your virtual machine, log in as root if you haven’t already.

7. Change directory in to the tmp directory

 <command> cd /tmp </command>

8. Copy & paste the entire WGET command into the console, execute. The rpm package will now download in to the /tmp directory.

9. Confirm that the rpm has downloaded by listing the contents of /tmp.

 <command> ls </command>

 

Installing

1. Now that we have the file downloaded, go ahead and install the package. To do this, run the following command:

 <command> rpm -i splunk-6.2.2-255606-linux-2.6-x86_64.rpm </command>

2. Splunk is now installed under /opt/splunk but before we can dive in, we need to configure Splunk to run at boot, under the user that was automatically created by the installer. To do this, run the following command:

 <command> ./opt/splunk/bin/splunk enable boot-start -user splunk –accept-license </command>

3. Splunk is now installed and configured to run at boot, try a reboot to test.

 <command> reboot </command>

 

If all went well you should now be able to navigate to your Splunk instance in a web browser outside of the virtual machine. Navigate to http://**vmipaddress**:8000 and change the admin password when prompted.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s