Open source (Open Source) SIEM tools Today, it is one of the preferred security solutions by the IT departments to ensure the security of the systems. In this article, it is one of the most used open source SIEM products. SplunkWe will be describing the installation of .
What is Splunk?
Domains, applications, sensors, devices, etc. in IT infrastructures. It is an open source SIEM (Security Information and Event Management) tool that can be used to search, analyze and visualize data generated by SIEM and Log Management It is a globally known and used product. There are two versions of Splunk, Enterprise (enterprise) and Free (free). For the Free version, up to 500 MB of data can be indexed daily. The Free distribution is a functional product recommended for small scale builds. SOC well Security Operations Center It offers a suitable solution for every structure that wants to establish.
Some important advantages of Splunk:
- It is possible to transfer the data to Splunk in the desired format. (csv, json etc.)
- Data generated in high volumes can be collected and analyzed.
- It uses API to connect to apps and devices.
- Easily understandable and actionable data reports can be generated.
- It has Artificial Intelligence and Machine Learning.
- It supports SaaS (Software as a service) structures.
- Incident Response And Threat Analysis It has a wide range of configuration options for
Installing Splunk:
The installation in this article will be done on CentOS 7 Minimal Distro because it is more efficient in terms of speed.
After the CentOS 7 installation process is completed, log in as the "root" user. After the IP address check, the connection status is checked by pinging Google's DNS server (8.8.8.8).
It connects to the installed CentOS system via SSH (Secure Shell Protocol) using PuTTY. PuTTY will connect to the CLI (Command Line Interface) of the CentOS system and will provide more convenient operation. However, this is optional. https://www.putty.org/ You can download PuTTY and install it.
The packages for ifconfig commands are installed by running the “yum install -y net-tools” command. The "-y" parameter here is to pre-approve all packages that need approval during installation.
Run the “yum install -y wget” command to upload the file from the URL extensions to our system. The “wget” command is used to install Splunk on the system as a .rpm package.
“wget -O splunk-8.0.2.1-f002026bad55-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.2.1&product=splunk&filename=splunk-8.0.2.1-f002026bad55-linux-2.6-x86_64.rpm&wget=trueSplunk is installed on the system by running the ' “ command.
The rpm packages downloaded for Splunk are installed with the command “rpm -i splunk-8.0.2.1-f002026bad55-linux-2.6-x86_64.rpm”. The “-i” parameter is used to specify the .rpm package we want to install.
Note: It should be noted that the downloaded Splunk .rpm packages are in the same directory.
The “cd /opt/splunk/bin” command is run to navigate to the directory where Splunk is installed. With the command “./splunk start –accept-license”, the installed Splunk application is started.
During the installation, the Administrator user name and password values requested for Splunk are determined at this stage.
Run the command “./splunk enable boot-start” to start splunk automatically. Although this command is completely optional, it is recommended for regular operation of Splunk.
Run the command “firewall-cmd –zone=public –add-port=8000/tcp –permanent” to allow Splunk running on port 8000 by the firewall.
With the "firewall-cmd -reload" command, the firewall command that we have adjusted on is restarted.
A connection request is sent to the address 192.168.0.23:8000 via the browser. After entering the username and password specified for Splunk, access is provided.