Splunk
Splunk is a log aggregator used to centralize logs and data. At the SOC we are using it as a System Information and Event Management(SIEM) system.
What you can do with Splunk:
Collect logs using the Splunk Universal Forwarders
Create detections and alerts
Use SOAR to automate tasks
Create cool dashboards
Scale out config deployments using the Splunk Deployment Server.
How to setup a Splunk Server
Download the installer from Splunk
Install Splunk onto your system
Linux
Switch user into root user
su root
Download the correct file for your Linux distribution. For example for Debian run the command below.
wget -O splunk-9.4.1-e3bdab203ac8-linux-amd64.deb "https://download.splunk.com/products/splunk/releases/9.4.1/linux/splunk-9.4.1-e3bdab203ac8-linux-amd64.deb"
Note that the name of the file may be different due to a different version
Run the command to extract and install the file. For .deb files its the command below.
dpkg -i splunk-9.4.1-e3bdab203ac8-linux-amd64.deb
Accept the license and create an admin user. This user will be used to login to the Splunk web interface
Change directory into the default bin location for Splunk. This is where all Splunk binaries are kept.
cd /opt/splunk/bin
Run the splunk binary to start Splunk.
./splunk start
Access Splunk web and login using the admin user you created. The web interface is available on http://localhost:8000
Windows
Run the command below in PowerShell.
wget -O splunk-9.4.1-e3bdab203ac8-windows-x64.msi "https://download.splunk.com/products/splunk/releases/9.4.1/windows/splunk-9.4.1-e3bdab203ac8-windows-x64.msi"
Double click on the .msi file you downloaded and follow the instructions to install.
How to setup the Splunk Universal Forwarder
The Splunk Universal Forwarder is installed on endpoint devices to gather logs and send them back to your Splunk Server. Download the correct Splunk Universal Forwarder for the endpoint device.
GO to Splunk to download the SUF