I have recently Installed Splunk in my home lab. Although I have access to a Splunk cyber range to practice in, I wanted to delve further and go deeper with admin functionality than I could in the cyber range. I first got introduced to Splunk back in December last year during TryhackMe’s Advent of Cyber 2024 event. Since then, I also used the Splunk cyber range as a big part of becoming a Certified Security Operations Center Analyst(CSOCA). Installing Splunk in my home lab gives me experience I couldn’t get in these other environments as they were administrated by others and I didn’t have the rights to delve into the administrative features.

What is Splunk

More specifically, what is Splunk Enterprise? Because that is what is actually being referenced.

Splunk Enterprise is a data platform designed to help businesses manage big data and analyze machine data. Key features include data visualization, performance metrics, data collection, real-time search, indexing, KPI tracking, reporting, and monitoring.You can collect data from devices and applications such as websites, servers, databases, operating systems, and more. Once the data is collected, the index segments, stores, compresses the data, and maintains the supporting metadata to accelerate searching.

The Splunk Install

I installed Splunk on an Ubuntu 24.04 LTS system and installed a Universal Forwarder on a Windows 10 machine. I intend to install more forwarders on other machines but for now this is my initial set up just to dip my toes in the water.

The process of getting Splunk and the Universal Forwarder installed consisted of:

• Installing Splunk Enterprise on Ubuntu.

• Installing the Universal Forwarder on Windows.

• Configuring the Universal Forwarder in an outputs.conf file.

• Writing a new firewall rule to allow for incomming traffic from the Splunk Enterprise instance to the Windows machine.

• Creating an Indexer in Splunk.

• Configuring the Indexer to be aware of the incoming data from the Windows machine.

• Installing Sysmon on the Windows machine to include in the output sent to Splunk.

• Writing a .bat file to keep track of the installed apps on the Windows machine.

I think this will do for now, Ill be keeping an eye on the Splunk Search app to monitor input.

What I Learned

• How to configure a Universal Forwarder on an endpoint.

• output.conf file creation.

• How to create and configure an Indexer in Splunk.

• .bat file creation to keep track of installed apps on Windows.

This isnt over, I intend to install Universal Forwarders on more VMs in my home lab leading to a SOC setup to practice with.