Splunk AWS Lab

Splunk AWS Lab

·

4 min read

Overview

In this blog post, we'll look at how to set up Splunk monitoring for Windows logs in AWS provisioned by Terraform. Monitoring logs is critical for ensuring your infrastructure's security and health, and Splunk offers extensive logging analysis and visualization tools.

Utilizing Terraform will allow us to quickly provision and destroy infrastructure so that we can gain necessary experience with these tools.


Infrastructure

Our setup includes deploying three EC2 instances within a VPC in us-east-1: a Kali Linux box for penetration testing, a Splunk instance running on Ubuntu Desktop for log monitoring, and a Windows Server 2022 instance that will be monitored.

Please note that some of the ami's utilized may require a subscription.


Provisioning

We'll begin by creating our infrastructure in AWS using Terraform. Terraform allows us to specify our infrastructure in code, making it simple to manage and replicate our configuration. We'll be provisioning 3 EC2 instances in a single subnet.

Since I have gone over Terraform in a previous post, I will be skipping how to get started with Terraform. Please visit my previous blog post for more information:

Terraforming Infrastructure

Terraform template can be found on my GitHub repo

Splunk AWS Lab


Download & Configure Splunk Enterprise

Step 1: Login with Instance ID outputted in Terraform

  • Use Instance IP then you will be prompted with Netspectrum/Ubuntu for InstanceID

Step 2: Change VNC Password

  • On Desktop

Step 3: Download Google Chrome if having issues with Mozilla and Splunk

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
  • Install & Check Default Browser
sudo dpkg -i google-chrome-stable_current_amd64.deb
google-chrome

Step 4: Download Splunk Enterprise from website

Step 5: Install

  • Cd into downloads folder
cd ~/Downloads
sudo dpkg -i splunk.<tab to auto complete>

Step 6: CD into /opt/splunk/bin and start service

cd /opt/splunk/bin
sudo ./splunk start

  • Page Down and accept EULA - Enter a Username / Password

Step 7: Logging into Splunk Instance

  • Paste the web server into instance browser

  • Login with credentials you created in the previous step

Step 8: Create Index

  • Settings > Index

  • Click New Index, my index name will be Windows-Security and i'll keep all defaults

Step 9: Setup Forwarding and Receiving > receiving port to listen on 9997


Download & Configure Splunk Universal Forwarder

Step 1: RDP into Windows box

Step 2: Download Splunk Universal Forwarder

  • CD into downloads folder

Step 3: Install & Configure

  • Click Customize options > Next > Next > Next

  • We will be monitoring Application, Security and System logs

  • Create Credentials > Next

  • Setup Receiving Indexer to Private IP of Splunk Instance and default port 9997

  • Private IP for the Splunk Instance can be obtained either through the AWS console or utilizing the following command and viewing inet address
ip a

  • Finish

Step 4: Configure Inputs.conf

  • CD into
C:\Program Files\SplunkUniversalForwarder\etc\system\local

  • Copy and Paste outputs.conf > Rename copied file to inputs.conf

  • Append the following to the file and save

[WinEventLog://Security]
index = windows-security (or name of your created index)

disabled = 0

Step 5: Restart Universal Forwarder via CLI

cd C:\Program Files\SplunkUniversalForwarder\bin
splunk.exe restart


Reviewing Logs in Splunk

Step 1: Head back to Splunk Instance

  • Search our newly created index to review logs

  • Looks like we have a few logs to review

  • Lets generate additional logs by adding & deleting users, this should create system logs. On the Windows Instance I added and deleted a user Splunk_Test:

  • Back on our Splunk instance we can see the newly created logs:


Terraform Destroy

To ensure we do not incur any additional costs, we will perform:

Terraform destroy

By following these steps, you will be able to configure monitoring for Windows logs in AWS using Splunk and Terraform.

Monitoring user activity and system changes is critical for ensuring the security and integrity of your infrastructure, and Splunk gives you the tools you need to successfully analyze and respond to log data.

With this arrangement, you will be able to quickly provision and destroy infrastructure so that you can gain practice with these tools.

In future installments, we will perform PenTests on our monitored instances, PCAP analysis and network monitoring.

Till next time!