Post

Setting Up Splunk: Basics & Configuration

Security and Pentest Home Lab Environment

Posted Updated
By SCipher143
6 min read
Setting Up Splunk: Basics & Configuration

title: Part 10 - Ubuntu Setup & Splunk SIEM Installation date: 2025-06-16 categories: [Lab] tags: [Splunk, Ubuntu, VirtualBox, SIEM, DFIR, Linux, Security] description: Install and configure Splunk SIEM in a segmented lab environment permalink: /posts/HomeLab-Splunk —

In this module, we will set up Splunk (a popular SIEM tool) on a new Ubuntu VM. The VM will be assigned to the SECURITY network segment in pfSense. We’ll also configure the Splunk Universal Forwarder on the Windows Server 2019 (DC) to forward logs into Splunk for monitoring.

📥 Download Ubuntu ISO

  1. Go to the official download page:
    Download Ubuntu Desktop
  2. Download the latest LTS version (e.g., 22.04.3 LTS)
    • 💾 The ISO is around 5GB

After the download completes, you will have a .iso image file ready for use.

💻 Create the Ubuntu VM

  1. In VirtualBox, click ToolsNew
  2. Give the VM a name and select the downloaded ISO file
  3. Enable “Skip Unattended Installation” → Click Next
  4. Set Base Memory to 4096MB → Click Next
  5. Set Hard Disk Size to 100GB → Click Next
  6. Review settings and click Finish

🗂️ Move VM to Group

  1. Right-click the new VM → Move to GroupHome Lab/Security
  2. Your VM group structure should reflect the segmentation

⚙️ Configure VM Settings

  1. Select the VM → Click Settings
  2. Go to System → Motherboard
    • Set Boot Order: Hard Disk, then Optical
    • Uncheck Floppy
  3. Go to Network → Adapter 1
    • Attached to: Internal Network
    • Name: LAN 4
  4. Click OK to save

🧰 Install Ubuntu OS

  1. Start the VM → Press Enter at the prompt to launch the GUI installer

  2. Follow the installation steps:

    • Select Language → Click Install Ubuntu
    • Select Keyboard Layout → Click Continue
    • Enable: Install third-party software... → Click Continue
    • Click Install Now → Confirm with Continue
    • Select Timezone → Click Continue
    • Enter user details (username, password, hostname) → Click Continue
  3. After installation finishes → Click Restart Now

  4. When prompted, press Enter to reboot into your new system

  5. Log in with your password

🚀 Post-Install Setup

🧾 Complete Ubuntu Welcome Wizard

  1. Click Skip when asked to connect online accounts
  2. Click Next through system info screens
  3. Choose “No, don’t send system info” → Click Next
  4. Disable unnecessary features → Click Next
  5. Click Done to close the wizard

📦 Install Guest Additions

  1. In the VM window, go to: Devices → Insert Guest Additions CD Image
  2. The CD will appear in the dock → Click to open
  3. In the file window, right-click → Open in Terminal

  4. Run the following command:

    1

    sudo ./VBoxLinuxAdditions.run

    Once the Guest Additions install completes:

  5. Close the Terminal
  6. Right-click the disk icon (Guest Additions) in the dock
  7. Select Eject to remove the virtual CD

🔃 Installing System Updates

  1. Open a Terminal using Ctrl + Alt + T

  2. Run the following command:

    1

    sudo apt update && sudo apt full-upgrade

If updates are available, press Enter to begin the installation

Keeping the system updated ensures compatibility and stability for Splunk.

📸 Creating a VM Snapshot

Before moving on, take a snapshot of the clean Ubuntu install:

  1. Shut down the Ubuntu VM
  2. Click the hamburger menu (☰) next to the VM name → Select Snapshots
  3. Click Take to create a new snapshot
  4. Enter a descriptive name (e.g., Ubuntu Clean Install) → Click OK
  5. Return to the VM overview by clicking Details in the hamburger menu

Snapshots let you revert the VM to this clean state at any time.

🧰 Splunk Installation on Ubuntu

In this module, we’ll walk through downloading and installing Splunk Enterprise on your Ubuntu VM. This tool is essential for log collection and SIEM functionality in your security lab.

🔽 Downloading Splunk

🌐 Official Download (Latest Version)

  1. On your Ubuntu VM, open a browser and go to the official Splunk download page:
    Splunk Enterprise Free Trial
  2. Click Download Now under the Linux (.deb) section.
  3. Accept the agreement and click Access Program to begin the download.
  4. You’ll need to create an account if you haven’t already:
    • Fill out the form
    • Accept the agreement
    • Click Create the Account

💡 Optional: Direct Download for v9.1.2

If you want to skip account creation and use version 9.1.2, download it directly:
Splunk Enterprise 9.1.2 - Linux (.deb)

💽 Installing Splunk

📁 Navigate to the Downloads Folder

Open a terminal (Ctrl + Alt + T) and run:

1

cd Downloads

Before installing Splunk, ensure the curl package is installed (Splunk may rely on it for various network-related tasks):

1

sudo apt install curl

Enter your password when prompted.

🛠️ Installing Splunk

Run the following command to install Splunk from the .deb package:

1

sudo dpkg -i splunk-9.1.2-b6b9c8185839-linux-2.6-amd64.deb

⚠️ Note: If you downloaded a newer version of Splunk, the filename may differ. Replace the filename above with the actual name of the file you downloaded.

🚀 Starting Splunk for the First Time

Launch Splunk and accept the license agreement:

1

sudo /opt/splunk/bin/splunk start --accept-license --answer-yes

You’ll be prompted to set up an admin username and password. These credentials will be used to access the Splunk web interface.

🌐 Accessing the Splunk Web Interface

Once Splunk is running, you can access it in your browser at:

1

http://127.0.0.1:8000

Log in using the credentials you just created.

🔁 Optional: Enable Splunk to Start on Boot

If you’d like Splunk to automatically start when the system boots, run:

1

sudo /opt/splunk/bin/splunk enable boot-start

💡 This step is optional. If you skip it, you’ll need to manually start Splunk each time with the start command shown earlier.

📸 Creating a Snapshot

Before proceeding, it’s a good idea to take a snapshot of the virtual machine in case you need to roll back.

  1. Power off the VM.
  2. Click the Hamburger menu next to the VM in VirtualBox.
  3. Navigate to Snapshots.
  4. Click on Take to create a new snapshot.
  5. Provide a clear, descriptive name for easy reference.

⚙️ Configuring Splunk to Receive Data

Open Splunk by visiting the following URL in your browser:

1

http://127.0.0.1:8000

Log in using your admin credentials. Then:

  1. Click on Settings in the top navigation bar.
  2. Under Data, select Forwarding and receiving.
  3. In the Receive data section, click Add new.
  4. Enter the following port to listen on:

9997

🧲 Universal Forwarder?

The Splunk Universal Forwarder is a lightweight agent that collects and forwards log data from a source system to a Splunk server. It’s commonly deployed on endpoints like servers and workstations to capture local events.

📥 Downloading the Forwarder

  1. On your Windows Server, open a browser and navigate to:

    🔗 Download Splunk Universal Forwarder

  2. Sign in with your Splunk account when prompted.
  3. Under the Windows tab, find the 64-bit installer and click Download Now.

Optional: You can directly download version 9.1.2 using the link below:
🔗 Splunk Universal Forwarder 9.1.2 (.msi) - Direct Download

🛠️ Installing the Universal Forwarder

  1. Once downloaded, double-click the .msi file to launch the installer.
  2. Accept the license agreement by checking the top box, then click Next.
  3. When prompted, enter a username and password for the Forwarder service.
    • ✅ It’s recommended to use the same admin credentials created on your Splunk server.

🌐 Get the Splunk Server IP Address

To forward logs, the Universal Forwarder needs the IP address of your Ubuntu VM running Splunk.

On your Ubuntu machine, run the following command:

1

ip a
Project Work, Home Lab
HL
This post is licensed under CC BY 4.0 by the author.