(Including installing a windows agent so you have data to play with)
- Install linux
- any flavor, Ubuntu might be the easiest.
- maybe I need another quick start guide for installing linux…
- download and install splunk on your linux platform
- It’s free for up to 500MB of data per day
- Start splunk (/opt/splunk/bin/splunk start)
- Login to the splunk web UI: http://<your server IP>:8000
- On Ubuntu, you don’t have to allow access to port 8000, so no need to open access
- Open port 9997 in the splunk UI
- Settings > forwarding and receiving > configure receiving > new receiving port (set to 9997)
- Open port 9997 on linux
- Ubuntu command: sudo ufw allow from any to any port 9997 proto tcp
- On a windows pc, install the Splunk universal forwarder
- Back in the UI, add a data input:
- Settings > data inputs > windows event logs > new windows remote event log > [you should see your windows pc so add it] > add ‘security’ > add it to an index
Done!
Simple-Security 