SOC Home Lab — Part 3
This is the third part of my blog on setting up SOC Home Lab. I will be demonstrating on how to setup splunk server on the SOC Analyst machine and data ingestion into the splunk indexer. To learn more about splunk check here.
Installing Splunk
Install splunk from splunk website, after installation run the below command in the directory which the splunk installation file was saved.
sudo tar xvzf [splunk tar file] -C /opt/
Then start the splunk server with the below command, it will ask for setting admin account and password on initial start of the server.
cd /opt/splunk/bin && sudo ./splunk start --accept-license
Once done, it will show the uri on which the splunk gui can be accessed, login with the username and password you configured above.
The installation of splunk is successful
Ingesting data to Splunk
Click Settings → Add Data → [Method]
There are guides on the data sources and method types. To learn more about ingestion in splunk check this documentaion.
I will be demonstrating Monitor and Forward method, for the demonstration purpose for monitoring method I will be monitoring the log file generated by suricata on the machine running splunk. I created a directory suricata in my user directory, then spinned up suricata to log the alerts in that directory.
Next spin up your kali machine and perform a SYN Scan with nmap on any one of the machine this will add the logs to the directory specified.
Select Monitoring files and directories.
Select continuously monitor option, so that if new data is logged then splunk will index it for us to monitor simultaneously.
Review if the logs added are in the correct format.
Setting up Universal forwarders.
Click Settings → Forwarding and Receiving → Configure Receiving → New Receiving Port → Add port [9997 default].
I will set up a forwarder on ubuntu machine in target lan to forward the data to the splunk server in security lan. Need to add a rule to allow this traffic to security lan through pfsense.
Install the universal forwarder on the target lan machines from here. Move to the directory where splunk forwarder is downloaded and extract it to the /opt directory.
sudo tar xzvf [forwarder file] -C /opt/cd /opt/splunkforwarder/bin && sudo ./splunk start --accept-license (start the forwarder)sudo ./splunk enable boot-start (to automatically start the splunk service on boot)sudo ./splunk add forward-server [SOC Analyst IP]:[Receiving Port] (Add a forward server)Run the below command to tell the forwarder what data to send.
sudo ./splunk add monitor /var/log/auth.logTo verify if the data is being forwarded
Click Search & Reporting → Data Summary.
The forwarder is working fine and we can get the data into splunk .
Note : To save resources and avoid storage consumption delete the logs manually or through scripts .
Do add more forwarders to get all the necessary data into your splunk server for monitoring.
I trust this blog has been valuable for setting up a simulated SOC Home Lab. Your feedback and comments are greatly appreciated.
