SIEM Setup- Splunk & Security Onion Install
ฝัง
- เผยแพร่เมื่อ 9 ก.พ. 2025
- If you still need to install Security Onion: • Intrusion Detection Sy...
In this video I install Splunk Enterprise on our Security Onion server to ingest and correlate logs across multiple sources. Splunk Apps provide additional investigation capabilities, which you can leverage to configure Splunk as a SIEM.
Links for this video:
Splunk Enterprise Trial
www.splunk.com...
Security Onion App
splunkbase.spl...
Sideview utils
splunkbase.spl...
Splunk for OSSEC
splunkbase.spl...
Maxmind geolocation
splunkbase.spl...
Google Maps
splunkbase.spl...
Splunk Visualization
splunkbase.spl...
Zeek IDS (Bro)
splunkbase.spl...
Commands/Notes:
Ensure splunk owns all apps by executing "sudo chown -R splunk:splunk *" within the /opt/splunk/etc/apps directory
Open Splunk port 8000 to Host system. On HomeIDS:
sudo ufw allow 8000
Change "Debug 1" to "Debug 2" in /etc/nsm/securityonion/sguild.conf
Restart nsm services with: sudo nsm_server_ps-restart
Didn't cover it in the video, but you should enable SSL access to Splunk:
Under Settings - System - Server settings, click General Settings
Under Splunk Web, for Enable SSL (HTTPS) in Splunk Web, select the Yes radio button
This is awesome, hope to see more from you.
This is great stuff, thanks for posting this videos. Keep up the good work!
YES! dude this is great! thanks so much.
Thanks for the video...
Great information!!!
great work bro
Great video. Thank you.
Great video! Where is the next vid?
WARNING: some apps don't work anymore. Due to advanced XML being deprecated by Splunk.
Is they a new updated Security Onion app now it does not work on Splunk any longer?
Thanks for the video, really aswesome. I'm having issues setting this up on a distributed install, can you help?
Bro:
I was trying to enable the SSL as per your above instruction but couldn't my hand around it.
I checked on both the Windows 10 settings and my Oracle VM settings but couldn't go beyond server Settings which brings up the Proxy setting
The splunk start command did not work for the latest version 7.3.2
After about 4 days my search quit working as the index reached the limit. I tried using the clean "clean eventdata" command and and even reinstalled Splunk, but neither worked. Do you have any advice on this?
Any help from your end...?
Can I run Splunk without a license?
You can run a trial license for 30 days, then you have to convert to a free license. Something you could run internally for lab/testing, but not enterprise.
Hello sir. Why u installing the apps in the windows host mashine instead of security onion?
that's his test enviroment and where it's supposed to work. (Splunk & Security Onion)
so it's installed in Ubuntu (with xfce graphic enviroment) = Security Onion with ready to go tools.
Also he's installing Splunk for log analysis (still trying to figure out what splunk really does on top of others (or not)...