Skip to content

readme.md

Latest commit

 

History

History
127 lines (97 loc) · 3.83 KB

readme.md

File metadata and controls

127 lines (97 loc) · 3.83 KB

Splunk Build Configuration and Setup Guide

This guide walks you through configuring a Splunk build from scratch, setting up data ingestion, integrating lookups and addons, and troubleshooting lookup errors in a SIEM environment.

🛠️ 1. Installing and Logging into Splunk Build

Installation

  1. Download the latest Splunk Enterprise package from Splunk's official site.
  2. Install Splunk: 
    sudo dpkg -i splunk_package.deb  # For Ubuntu/Debian
sudo rpm -i splunk_package.rpm    # For CentOS/RedHat
  3. Start Splunk: 
    sudo /opt/splunk/bin/splunk start --accept-license

Log into Splunk Web

  • Navigate to http://localhost:8000
  • Default credentials:
    • Username: admin
    • Password: changeme
  • (Important) Change the default password immediately after logging in.

📥 2. Setting Up Data Ingestion

Add Data via Splunk Web

  1. Go to Settings > Add Data.
  2. Choose your data source (Files & Directories, HTTP Event Collector, etc.).
  3. Define Source Type and set an Index (e.g., index=firewall_logs).
  4. Finish setup, ensuring data is flowing via Search & Reporting with: 
    index=* | stats count by source

Forwarder Setup (Optional)

For remote data ingestion:

  1. Install Splunk Universal Forwarder on the data source.
  2. Configure the forwarder to send data to the Splunk instance: 
    sudo /opt/splunkforwarder/bin/splunk add forward-server <splunk_server>:9997
  3. Define inputs on the forwarder: 
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/syslog

🔗 3. Integrating Lookups and Add-ons

Adding Lookups

  1. Go to Settings > Lookups > Lookup table files.

  2. Upload your CSV file (e.g., malicious_ips.csv).

  3. Create a lookup definition under Lookup Definitions:

    • Name: malicious_ip_lookup
    • File: malicious_ips.csv
    • Type: file-based.

  4. Validate the lookup with:

    | inputlookup malicious_ip_lookup

Install Add-ons

  1. Visit Splunkbase and download the desired add-on (e.g., TA for Windows).
  2. Install via Apps > Manage Apps > Install app from file.
  3. Configure the add-on under Configuration in the app menu.

🔍 4. Finding and Resolving Lookup Errors

Identify Lookup Errors

  1. Search for lookup errors:

    index=_internal sourcetype=splunkd log_level=ERROR lookup

  2. Common errors:

    • Lookup table not found: Check the lookup file and definition.
    • Permission denied: Ensure the lookup file has proper permissions.

Fix Common Lookup Errors

Permission Issues

  1. Verify file permissions on lookup files: 
    sudo chown splunk:splunk /opt/splunk/etc/apps/<app_name>/lookups/*.csv
sudo chmod 644 /opt/splunk/etc/apps/<app_name>/lookups/*.csv

🔄 Lookup Autoload Issues

  • Ensure the lookup is properly set to Automatic in Lookup Definitions.

🔗 Field Mismatch Issues

  1. Check the lookup definition fields.
  2. Ensure the field names match between the lookup file and search query.
  3. Use an alias if needed: 
    | inputlookup malicious_ip_lookup
| rename ip_address AS src_ip
| stats count by src_ip

🛡️ 5. SIEM Integration Tips

  • Use Splunk Enterprise Security for advanced threat monitoring.
  • Configure notable events and alerts.
  • Regularly check Data Models for accuracy.
  • Ensure CIM (Common Information Model) compliance on addons.

🎯 Conclusion

You now have a Splunk build running with data ingestion, lookups, and add-ons configured. You’re equipped to troubleshoot lookup errors and optimize the SIEM setup for effective threat monitoring.

Happy Splunking! 🚀