Installing Splunk on Ubuntu 24.04

Justin Mangaoang
5 min readMay 2, 2024

--

Security Information and Event Management systems play a crucial role in threat hunting and incident response. They serve as a centralized platform from which analysts can view logs from various resources in their environment.

For this lab, we will be using Splunk as our SIEM. I will be using Xubuntu as my OS because I prefer the XFCE desktop environment. However, the steps listed below should work regardless of your preferred desktop environment.

After installing Ubuntu desktop, download Splunk Enterprise (.deb package) from their website. You will be required to create an account before downloading the installer.

Open terminal and navigate to the Downloads folder.

Install Splunk using the following command:

sudo dpkg -i splunk_package_name.deb

I received an error so I installed curl first and then I entered the Splunk installation command.

We will now enable Splunk upon boot-up of the machine. Open up terminal and type:

sudo /opt/splunk/bin/splunk enable boot-start

Scroll down and agree to the license.

Create an admin account and its corresponding password.

Reboot.

Once back on the main desktop, open up Firefox and go to localhost:8000. If Splunk was enabled upon boot-up, then we should get the Splunk login screen. Enter your Splunk admin credentials.

After logging in, select Settings on the upper right hand side and go to Forwarding and receiving.

Select Configure receiving.

Select New Receiving Port on the upper right.

We will use the default port of 9997. Enter 9997 and click save.

We will receiving two types of logs from our victim machine: Windows Event Logs and Sysmon logs. We will be creating two indexes to correspond to each type of logs.

Click Settings and under Data select Indexes.

Select New index on the upper right.

Type wineventlog in the index name field. Make sure that Events is selected on the index data type then click Save.

Create another index and name it sysmon. Once again, make sure Events is selected on the index data type then click Save.

Remember that virtual network we created earlier on VMWare? We will now change our virtual network adapter from NAT to that one. Power down the machine and change the network adapter to the one we created.

After changing the network adapter, boot up the machine. We will now set a static IP on our Splunk VM.

First up we need to determine the network adapter name. We will use the network adapter name when we edit the network configuration later. Open terminal and type in ip a.

In my case, my network adapter name is ens33. Please take note of the network adapter name on your end.

Navigate to netplan via terminal by typing: cd /etc/netplan. We will be editing the network manager yaml file. Type in sudo nano 01-network-manager-all.yaml.

We will now edit the file. Follow the format as shown in the screenshot below. Enter your desired private IP address. Take note that you will need to change the network adapter name as they appear on your machine.

Once you have entered all the necessary information. Press Ctrl + X > Y > enter to save the changes.

To apply the netplan: type sudo netplan apply in the terminal.

Verify if the ip address changed by typing ip a in terminal.

We have successfully installed Splunk. We now need to setup our Windows machine so we can generate logs that we can forward to our Splunk SIEM.

Intro: Building a Threat Hunting/Malware Home Lab

Next: Setting Up the Victim Machine

--

--