![]() It works in a client server model, which is split up into:ġ. It takes various inputs of logs and data and it makes them readable by humans, it enables users to search, analyse and visualise data from sources such as servers, end user devices, websites, sensors, devices and everything in-between. It has multiple usages and is not just for security. ![]() It is a lot of things, but at a core level it is a digestor and visualizer of data. Quick overview of what Splunk is before diving into the super technical deployment fun. There are lots of guides out there but via my searching I struggled to find it all in one place, plus I wanted to document the process to make my life easier and hopefully yours too! WTF is Splunk it sounds □dirty. So this post is going to be a walk through of deploying it on both server and ingesting logs. I come across Splunk all too often on engagements and have written queries for the dashboard before but I have not deployed it inside my lab from scratch before. NOTE: this requires you to enable ‘receiving’ of data on the port specified above, usually 9997.I'll be the first to say I'm not a defender at all by trade, but more and more recently I have found myself with a deeper interest in how different tooling slots together from both an offensive and defensive perspective. You now should be able to log into your server and see new data flowing from the forwarder.(OPTIONAL) Verify configuration by opening file at the following: sudo su vi /opt/splunkforwarder/etc/apps/search/local/nf exit.SonarQube sudo /opt/splunkforwarder/bin/splunk add monitor /opt/sonar/logs -index main -sourcetype Sonar PM2 sudo /opt/splunkforwarder/bin/splunk add monitor /home//.pm2/logs -index main -sourcetype PM2 NPM sudo /opt/splunkforwarder/bin/splunk add monitor /home/scott/.npm/_logs -index main -sourcetype NPM Enable some monitors on the box:Some common services and log locations to get you started…Īpache2 HTTPd sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/apache2 -index main -sourcetype Apache2 Tomcat7 sudo /opt/splunkforwarder/bin/splunk add monitor /opt/tomcat7/logs -index main -sourcetype Tomcat7 MySQL sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mysql -index main -sourcetype MySQL Postfix (SMTP) sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mail.log -index main -sourcetype Postfix Squid3 (Proxy) sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/squid/access.log -index main -sourcetype Squid3 sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/squid/cache.log -index main -sourcetype Squid3.Remember – the forwarder is a new ‘light’ installation of the server and as such has it’s own users! NOTE: if you get prompted for a splunk username/password you likely skipped the above step. Set the server: sudo /opt/splunkforwarder/bin/splunk add forward-server YOUR_SERVER_ADDRESS:9997. ![]() Sudo /opt/splunkforwarder/bin/splunk edit user admin -password YOUR_NEW_PASSWORD -auth admin:changeme ![]() The default ‘ admin‘ password is ‘ changeme‘ so we need to change it immediately to do anything else, or we will see errors in future steps.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |