Splunk Setup [SOC Automation with AI Implementation]

Goal:

The goal is to connect to the Ubuntu Server using SSH and to setup Splunk so it can receive logs data from the VM client.


Remote SSH Setup:

After the VM running Ubuntu Server is finished starting up, login and copy down the IP address of the machine (Note that "ip a" can also be used to find the IP address).













Using the Windows 10 Client, I can now connect to the Ubuntu Server machine using SSH via Windows PowerShell.












This returned "Connection closed by 10.0.2.8 port 22". First I check to see if SSH is active. Once I've determined that it is via the "sudo systemctl status ssh" command. It then occurred to me that the reason why the session was forcibly closed was because I was still logged in on the Ubuntu Server. Logging out fixed the issue and I have been able to successfully connect to from the Windows client using SSH.












Next I make sure to update and upgrade Ubuntu packages before I do anything else.












After completing the updates, I now would like to install Splunk. I log in to their website and get the wget link for Splunk Enterprise (10.0.1) and then proceed to download it. Once downloaded, I type "ll" to double check I have the right files downloaded and finally proceed to install it.











Next I want to start Splunk, so I go into the Splunk directory, log in to the default user, and proceed to running Splunk (./splunk start). Then I agree to the license, set an admin username, and set the password. Next I exit the program.























The next thing I did was make sure that when the system reboots, Splunk starts on startup. Next I check to make sure it is properly running and that it is accessible using the web browser.













Next I need to configure a few settings. First I go to "Forwarding and receiving", further into "Configure receiving" and I select "New Receiving Port". I add the default port of 9997. Next I go to "Indexes" under settings and I select "New Index".

















Finally, I go to "Find More Apps" under "Apps" on the Top left. I want to download "Splunk Add-on for Microsoft Windows"















Summary and Reflection:

The only issue I ran into outside of what I covered was that the VMs weren't able to establish a connection but from prior experience I knew that the solution was to change the network type of the VMs from a NAT type to a NAT-Network. I have now mostly set everything up and Splunk is ready to start receiving telemetry from the Windows client. In my next post I will be setting that up on top of setting up the n8n Server.

Comments

Post a Comment

Popular posts from this blog

About Me

A Quick Introduction: Hello, my name is Erick and I'm an aspiring SOC Analyst who's trying to turn close to two decades of tech experience and passion into a career. I've been the tech guy among my friends and family for almost two decades and have experience troubleshooting and solving hardware, software, and network related computer problems. I've built PCs, hosted game servers, and troubleshoot computer problems both in person and over the phone. Over the years, I've not only learned to solve technical problems quickly, but also how to explain them to both technical and non technical users. What was originally a hobby of mine turned into a deep and growing interest in cybersecurity and IT operations. In pursuit of becoming a SOC Analyst, I have earned my CompTIA Security+ Certificate in September of 2025, strengthening my foundational knowledge in network defense, threat detection, and incident response. Technical Background: Troubleshooting and System Setup: I h...
Read more

VM Setup [SOC Automation with AI Implementation]

Image
Project Overview: Build an automated workflow using n8n. Splunk will ingest logs, create an alert and send it to n8n where ChatGPT can process the alert and output the information on to slack. Required Files: VM Environment Software: Oracle VirtualBox (https://www.virtualbox.org/) OS ISOs: Kali Linux ISO (https://www.kali.org/get-kali/#kali-virtual-machines) Ubuntu Server ISO (https://ubuntu.com/download/server) Windows 10 ISO (https://www.microsoft.com/en-us/software-download/windows10) VM Setup: Before I can begin automating anything, I must first set up the Virtual Machine environments that will be used to run the n8n Server, the Splunk Server, the Ubuntu Client, and the Windows Client. I generally prefer to allocate enough resources so as to give the VMs more headroom to allow them to deal with more stress. Windows Client: For the installation of the Windows Client, I set the Base Memory to 4GB, the core count to 2, and the Disk Size to 50GB. The installation if fairly straight for...
Read more

Implementing Slack and Putting it all together [SOC Automation with AI Implementation]

Image
  Goal:  To fully integrate ChatGPT using n8n and piece everything together. Workflow Setup: First it's important to disable the Splunk alert for now because we are done with the current test. Then on the n8n server, going back to canvas, we can pin the output so that we don't need to keep triggering the workflow. Before continuing, I created an API Platform account on openai.com. I clicked on "start building" to set it up, naming my organization "Caser" and the API key name "Caser-SOC-Project", and then generated an API key. Once I had this copied it was time to go back and start setting up the workflow. This is where I encountered my first major issue. I went on vacation and during that time I wasn't able to work on the project. This led to my session being timed out, and when I logged back in I was no longer able to pin the webhook trigger event. I spent some time looking to see if there was a way to simply revert it or to see if there was a...
Read more