# Splunk AWS Lab via Terraform

### Overview

In this blog post, we'll look at how to set up Splunk monitoring for Windows logs in AWS provisioned by Terraform. Monitoring logs is critical for ensuring your infrastructure's security and health, and Splunk offers extensive logging analysis and visualization tools.

Utilizing Terraform will allow us to quickly provision and destroy infrastructure so that we can gain necessary experience with these tools.

---

### Infrastructure

Our setup includes deploying three EC2 instances within a VPC in us-east-1: a Kali Linux box for penetration testing, a Splunk instance running on Ubuntu Desktop for log monitoring, and a Windows Server 2022 instance that will be monitored.

***Please note that some of the ami's utilized may require a subscription.***

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708636270994/3767ad9e-abb9-45c6-8bc2-a4d678f29d97.png align="center")

---

### Provisioning

We'll begin by creating our infrastructure in AWS using Terraform. Terraform allows us to specify our infrastructure in code, making it simple to manage and replicate our configuration. We'll be provisioning 3 EC2 instances in a single subnet.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708550408291/ad2fce0d-8df8-4bd4-a72f-44531ff4ea2d.png align="center")

Since I have gone over Terraform in a previous post, I will be skipping how to get started with Terraform. Please visit my previous blog post for more information:

[Terraforming Infrastructure](https://blog.theawsdev.com/terraforming-infrastructure)

Terraform template can be found on my GitHub repo

[Splunk AWS Lab](https://github.com/GioAwsDev/SplunkAwsLab)

---

### Download & Configure Splunk Enterprise

Step 1: Login with Instance ID outputted in Terraform

* Use Instance IP then you will be prompted with Netspectrum/Ubuntu for InstanceID
    

Step 2: Change VNC Password

* On Desktop
    

Step 3: Download Google Chrome if having issues with Mozilla and Splunk

```bash
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
```

* Install & Check Default Browser
    

```bash
sudo dpkg -i google-chrome-stable_current_amd64.deb
```

```bash
google-chrome
```

Step 4: Download Splunk Enterprise from website

* [Splunk Enteprise Trial](https://www.splunk.com/en_us/download/splunk-enterprise.html)
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708368869071/575fa3af-dd77-490b-b691-2c1d1c51cf9c.png align="center")

Step 5: Install

* Cd into downloads folder
    

```bash
cd ~/Downloads
sudo dpkg -i splunk.<tab to auto complete>
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708368973287/12642c60-ee5a-44c9-9f46-faefa3c613cd.png align="center")

Step 6: CD into /opt/splunk/bin and start service

```bash
cd /opt/splunk/bin
```

```bash
sudo ./splunk start
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708369313765/9f07e19d-53fb-48c9-8432-76b7b5577f7a.png align="center")

* Page Down and accept EULA - Enter a Username / Password
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708369406804/890c4650-e72b-4874-be40-61073b908991.png align="center")

Step 7: Logging into Splunk Instance

* Paste the web server into instance browser
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708369450928/68f33955-fe50-47e9-a994-359cd47df32c.png align="center")

* Login with credentials you created in the previous step
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708369558505/555f7d0d-aa8b-47c2-b6fb-b57d454720a1.png align="center")

Step 8: Create Index

* Settings &gt; Index
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708369662684/c9df5386-5a5d-432e-8c12-d695b048b9c5.png align="center")

* Click New Index, my index name will be Windows-Security and i'll keep all defaults
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370846916/a2051d43-e0ac-43c1-aaf0-00d913f16caa.png align="center")

Step 9: Setup Forwarding and Receiving &gt; receiving port to listen on 9997

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708369662684/c9df5386-5a5d-432e-8c12-d695b048b9c5.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708369684882/b53e1ccb-930c-4779-b048-8b83a17c67ad.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708369731857/a3a42750-b962-477c-a6bf-bb3d2ab8b242.png align="center")

---

### Download & Configure Splunk Universal Forwarder

Step 1: RDP into Windows box

Step 2: Download Splunk Universal Forwarder

* [Splunk Universal Forwarder](https://www.splunk.com/en_us/download/universal-forwarder.html)
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370145923/8fec9ac4-f99e-443a-a1f6-7073bc3488cd.png align="center")

* CD into downloads folder
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370241765/0ea1aa69-8dcb-4cf9-b514-c4e79edb47da.png align="center")

Step 3: Install & Configure

* Click Customize options &gt; Next &gt; Next &gt; Next
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370271798/7c5095a3-9faf-44e4-8a7f-00bebcba5c96.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370366496/18e81258-f44b-465b-97d4-fda40a9b5d98.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370458935/11cd3374-7a13-46b8-914c-9398dbb40a8d.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370478354/0f6e270e-c9ff-464a-84a6-bbcbf0464d04.png align="center")

* We will be monitoring Application, Security and System logs
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370492153/c50692cf-028f-4bbe-9ddb-705c4032d754.png align="center")

* Create Credentials &gt; Next
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370524109/0d021206-9dbf-475c-9a88-a3770935fe97.png align="center")

* Setup Receiving Indexer to Private IP of Splunk Instance and default port 9997
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370715399/29f852f2-fb25-4a80-a095-fc173d94489a.png align="center")

* Private IP for the Splunk Instance can be obtained either through the AWS console or utilizing the following command and viewing inet address
    

```bash
ip a
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370686902/97fb7e9f-b288-464a-a08f-2f9829d80435.png align="center")

* Finish
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370803258/a56e1320-6dd8-4c20-8b9d-fb2d70a3ee91.png align="center")
    

Step 4: Configure Inputs.conf

* CD into
    

```bash
C:\Program Files\SplunkUniversalForwarder\etc\system\local
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708370999653/3279c656-4a57-4783-bdc7-9ad720d6393b.png align="center")

* Copy and Paste outputs.conf &gt; Rename copied file to inputs.conf
    
* Append the following to the file and save
    

```bash
[WinEventLog://Security]
index = windows-security (or name of your created index)

disabled = 0
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708371204326/fe9ed5d9-092e-41bb-828f-bf7c90de375a.png align="center")

Step 5: Restart Universal Forwarder via CLI

```bash
cd C:\Program Files\SplunkUniversalForwarder\bin
splunk.exe restart
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708371337498/6b2c6ec9-a51e-437a-86b5-c57054da3b35.png align="center")

---

### Reviewing Logs in Splunk

Step 1: Head back to Splunk Instance

* Search our newly created index to review logs
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708371458465/c8a1b2ab-9d5f-483a-ae98-1fbfd3c17cf9.png align="center")

* Looks like we have a few logs to review
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708371490987/d4aaa23a-335e-4edf-a0a9-b924d14b11e8.png align="center")

* Lets generate additional logs by adding & deleting users, this should create system logs. On the Windows Instance I added and deleted a user Splunk\_Test:
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708548990716/5cd4869e-8f60-4ede-a1e6-af11bcefab65.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708549031264/859739f5-98e3-4a40-b31d-7e7033643214.png align="center")

* Back on our Splunk instance we can see the newly created logs:
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708549158925/bd672df5-d4e6-4ac8-baea-1cd24b52961b.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708549374914/a155ecc4-8d28-4320-9cf3-d402e730ea1c.png align="center")

---

### Terraform Destroy

To ensure we do not incur any additional costs, we will perform:

```bash
Terraform destroy
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708549913405/26f34c65-f348-4ee3-966b-efd01c8c7743.png align="center")

By following these steps, you will be able to configure monitoring for Windows logs in AWS using Splunk and Terraform.

Monitoring user activity and system changes is critical for ensuring the security and integrity of your infrastructure, and Splunk gives you the tools you need to successfully analyze and respond to log data.

With this arrangement, you will be able to quickly provision and destroy infrastructure so that you can gain practice with these tools.

In future installments, we will perform PenTests on our monitored instances, PCAP analysis and network monitoring.

Till next time!
