So, I hosted an unofficial tech-a-thon for women at the very last minute and it was amazing! More to come on that later. My project for the day was going to be deploying Splunk on my virtual machine and feeding logs from my desktop and laptop to my Splunk server. Then, I planned on purchasing a server on the cheap and creating a honeypot that would also feed into Splunk.
Guess how far I actually got? You guessed it. Just deploying Splunk and feeding logs from one host on my network to it. And even that took forever. Mostly because I totally forgot to make sure I adjusted the firewall rules, so I was chasing my tail for like 30 minutes. I also couldn’t figure out where in the app I set up forwarding. With the help of Page who joined the tech-a-thon, I was able to figure it out. Though Splunk has documentation on how to set this up, finding the right documentation that is thorough can be a bit challenging. Here are my notes/musings from the tech-a-thon last Saturday:
Previously, I installed Splunk on a virtual machine on my server. It was painless; I simply used wget and a link from the site to download the software onto my server and installed it using yum. It automatically installed into the /opt directory. /opt is a directory for “the installation of add-on application software packages”. I visited this directory to start Splunk. Splunk directed me to a link: 127.0.0.7:8000I am using Splunk on centOS7. Ran into an issue where I couldn’t access the GUI because of the firewall. I used the following commands to allow my traffic through to the VMfirewall-cmd –permanent –zone=public –add-sources=192.168.9.0/24firewall-cmd –permanent –zone=public –add-port=8000firewall-cmd –permanent –zone=public –add-port=8000To enable forwarding on a host, go to Settings-> Forwarding and ReceivingClick add new next to Configure receiving under Receiving dataMake sure the chosen port is open in the firewall. Badda bing, badda boom.Eureka! It is FINALLY WORKING!
Subscribe to get the Steph&Sec newsletter sent directly to your inbox!