Steph & Splunk Part 2: Ay Yi Yi!

May 23, 2018InfoSteph

So, I hosted an unofficial tech-a-thon for women at the very last minute and it was amazing! More to come on that later. My project for the day was going to be deploying Splunk on my virtual machine and feeding logs from my desktop and laptop to my Splunk server. Then, I planned on purchasing a server on the cheap and creating a honeypot that would also feed into Splunk.

Guess how far I actually got? You guessed it. Just deploying Splunk and feeding logs from one host on my network to it. And even that took forever. Mostly because I totally forgot to make sure I adjusted the firewall rules, so I was chasing my tail for like 30 minutes. I also couldn’t figure out where in the app I set up forwarding. With the help of Page who joined the tech-a-thon, I was able to figure it out. Though Splunk has documentation on how to set this up, finding the right documentation that is thorough can be a bit challenging. Here are my notes/musings from the tech-a-thon last Saturday:

Previously, I installed Splunk on a virtual machine on my server. It was painless; I simply used wget and a link from the site to download the software onto my server and installed it using yum. It automatically installed into the /opt directory. /opt is a directory for “the installation of add-on application software packages”. I visited this directory to start Splunk. Splunk directed me to a link: 127.0.0.7:8000
I am using Splunk on centOS7. Ran into an issue where I couldn’t access the GUI because of the firewall. I used the following commands to allow my traffic through to the VM
     firewall-cmd –permanent –zone=public –add-sources=192.168.9.0/24
     firewall-cmd –permanent –zone=public –add-port=8000
     firewall-cmd –permanent –zone=public –add-port=8000
To enable forwarding on a host, go to Settings-> Forwarding and Receiving
Click add new next to Configure receiving under Receiving data
Make sure the chosen port is open in the firewall. Badda bing, badda boom.
Eureka! It is FINALLY WORKING!
This Saturday, I hope to get to the honeypot part of my project. A woman from one of the Slack channels I am a member of referred me to Kippo, so I will be exploring that.
Join us this Saturday for another unofficial tech-a-thon! Everyone is welcome! Just send an email to info@stephandsec.com and I will let you know how to join!
-InfoSteph

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Prev Post Next Post