How to install SPLUNK Enterprise and ingest logs using SPLUNK Universal forwarder
In this blog post, we will explore in detail the process of deploying Splunk Enterprise and configuring it to ingest logs using the Splunk Universal Forwarder.
Here’s the overview of the blog:
- SPLUNK: Introduction
- How to install Splunk Enterprise
- Splunk Universal Forwarder
SPLUNK: Introduction
SPLUNK is one of the leading SIEM in the information security industry designed for searching, analysing, and visualising machine-generated data in real-time. It can be used to monitor, investigate, and troubleshoot IT infrastructure, applications, and security issues. With Splunk, organisations can gain valuable insights into their data and make informed decisions to improve their operations and security posture.
How to install Splunk Enterprise:
- First step is to create an account on SPLUNK official page.
- After sign up and logging in the account, you will see the “Free Demo” on the right corner of page
- Splunk offers the trial version of two platforms:
- Splunk Cloud Platform
- Splunk Enterprise
- In this blog, we are looking forward to the installation/deployment of the “Splunk Enterprise”, supports 60 days trial period.
- The installation package support multiple OS. We are going to deploy in our Windows OS environment.
Note: You can check the system requirements according to your OS before installing
- After downloading the package, we are going to install it. The process is simple, just a three click step.
- In the next step, we are going to setup the username and password that will be required to access the web GUI of Splunk:
- The installation process will take time around maximum 5–7 minutes.
- Splunk Enterprise is successfully installed. After clicking “Finish”, Splunk GUI will open in the browser.
- Here’s the SPLUNK login page and we will require the credentials that was setup during installation process:
- Now, we will forward our windows logs to the Splunk using Splunk universal forwarder.
Splunk Universal Forwarder:
- SPLUNK offers universal forwarder that supports log ingestion from different OS environment. You can download it from their official page.
- Before installing the universal forwarder, we need to do some configuration in Splunk to receive the logs:
- By default, SPLUNK receive logs on port 9997.
- After downloading the package, we need to install the universal forwarder to forward the logs.
- As we have deployed the Splunk Enterprise so we are going to select that check:
- As we aren’t using any SSL certificate, so we will skip that:
- As I have locally deployed SPLUNK on same machine of which I’m forwarding logs, so that host name will be as follows in my case and by default port is 8089
Note: You will be using the IP of the machine on which you have installed the Splunk and you can get the IP with the “ipconfig” command and use that in the installation process of universal forwarder
- Now, we will specify the receiving port that we previously configured in Splunk:
- It will take around 2 to 3 minutes to finish the installation.
- Here’s the host name of my machine, that will be used in next steps in the confirmation of successful log ingestion:
- Now, we will verify that logs receiving in the SPLUNK or not. Go to the “Search” tab:
- Upon clicking the “Data Summary” button, a new pop-up window will appear and we will be able to see our Windows machine hostname, as well as the source types/log types that we selected during the installation process:
- Now, let’s check the events of our local machine in Splunk. Click the host in the “Hosts” tab that is shown in the above screenshot:
- We can see that logs are getting ingested successfully.
Conclusion
Deploying Splunk and configuring it to ingest logs using the Splunk Universal Forwarder is a straightforward process that can provide organisations with valuable insights into their operations and security posture. By following the steps outlined in this blog post, you can be up and running with Splunk in no time.
