{ "id": "a6774e10-45ed-48a1-a419-25c434fe10b7", "name": "Log Collection & Aggregation", "slug": "log-collection-aggregation", "status": "published", "lab_type": "pta", "is_sample": false, "duration_in_seconds": 1800, "metadata": { "courses": [ "e999ee53-2459-4411-a3f3-a560fbcf4c86", "7f61cf50-ad65-4cb5-93a3-3e31e1f5427a" ], "pta_sdn": "769", "collections": [], "pta_namespace": "my.ine", "learning_paths": [], "has_published_parent": true }, "session": null, "company": "a491bc32-c056-4946-9169-cc053387bada", "created": "2023-03-03T15:07:18.524783Z", "modified": "2025-06-30T21:12:03.247619Z", "is_beta": false, "lab_objectives": [], "main_learning_area": null, "learning_areas": [ { "id": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa", "name": "Cyber Security", "slug": "cyber-security" } ], "categories": [], "tags": [], "difficulty": "professional", "is_web_access": false, "is_lab_experience": false, "is_featured": false, "cve": null, "severity": null, "year": null, "classification": null, "is_trackable": false, "cpe_credits": null, "is_skill_check": false, "external_url": "", "solution_video": null, "explanation_video": null, "description": "# Introduction\n\nIn this lab, you'll configure two servers to send log data to a Splunk instance that resides on SERVER01. DC01 will need specified Windows event logs, including some AD information sent, and LINUX01 will need specific auth log files sent. All required IPs and credentials for this lab are listed below.\n\n**Lab Information**\n\n| Server | IP |\n| --- | --- |\n| DC01 | 172.31.115.100 |\n| SERVER01 | 172.31.115.110 |\n| LINUX01 | 172.31.115.111\n\n| Location/Purpose | Username | Password |\n| --- | --- | --- |\n| Domain Admin | ine\\labadmin | K5+peE#5q+&WJ^c# |\n| Linux Server | labadmin | TTnxyAn5=jRd3R |", "description_html": "

Introduction

\n

In this lab, you'll configure two servers to send log data to a Splunk instance that resides on SERVER01. DC01 will need specified Windows event logs, including some AD information sent, and LINUX01 will need specific auth log files sent. All required IPs and credentials for this lab are listed below.

\n

Lab Information

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
ServerIP
DC01172.31.115.100
SERVER01172.31.115.110
LINUX01172.31.115.111
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Location/PurposeUsernamePassword
Domain Adminine\\labadminK5+peE#5q+&WJ^c#
Linux ServerlabadminTTnxyAn5=jRd3R
", "tasks": "# Tasks\n\nYou have been tasked with collecting log information from two servers in the organization. Your director has asked for security event logs and basic AD information to be collected from DC01 and sent to the Splunk server on SERVER01. In addition, you have been asked to have authorization logs from the Linux server indexed into Splunk as well.\n\n1. Configure Splunk (and Windows Firewall) to receive logs on port 9997\n2. Install and configure the Splunk Forwarder to send *Security* event logs and Active Directory information from DC01 to SERVER01\n3. Install and configure the Splunk Forwarder on the linux server to send /var/log/auth.log to SERVER01", "tasks_html": "

Tasks

\n

You have been tasked with collecting log information from two servers in the organization. Your director has asked for security event logs and basic AD information to be collected from DC01 and sent to the Splunk server on SERVER01. In addition, you have been asked to have authorization logs from the Linux server indexed into Splunk as well.

\n
    \n
  1. Configure Splunk (and Windows Firewall) to receive logs on port 9997
    2. \n
  2. Install and configure the Splunk Forwarder to send Security event logs and Active Directory information from DC01 to SERVER01
    3. \n
  3. Install and configure the Splunk Forwarder on the linux server to send /var/log/auth.log to SERVER01
    4. \n
", "published_date": "2023-10-04T15:56:43.457268Z", "solutions": "# Solutions\n\n\n**Step 1 - Configure Splunk and SERVER01 to receive logs:** \n\nOpen Splunk from the desktop and navigate to *Settings*, then *Forwarding and receiving*\n\n![Forwarding and receiving](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/1.png)\n\nClick on *Add new* next to **Configure receiving** to add a new receiver. Enter port *9997* and click *Save*\n\n![New Receiver](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/2.png)\n\n![New Receiver](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/3.png)\n\nNext, open up Windows Firewall settings to allow traffic on port 9997 through the local firewall.\n\nGo to *inbound rules* and create a new rule\n\n![New inbound rule](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/4.png)\n\nChoose the following options to create the rule:\n- Port\n- TCP, on port 9997 only\n- Allow the connection\n- Enable for all profiles\n- Name: **Splunk Forwarder**\n\n![Firewall rule](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/5.png)\n\n![Firewall rule](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/6.png)\n\n**Step 2 - Install and configure the Splunk Forwarder on DC01:**\n\nOpen up RDP to connect to DC01. Use the Domain Admin credentials listed in the lab summary\n\n![RDP](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/7.png)\n\nOpen up the *Tools* folder on the desktop of DC01 and launch the Splunk Forwarder installer\n\n![Splunk installer](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/8.png)\n\nCheck the box at the top to accept the license agreement, and ensure that **An on-premises Splunk Enterprise instance is selected**, then choose *Customize Options*\n\n![Splunk installer customize options](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/9.png)\n\nAccept the default installation location, and accept all the defaults on the SSL certificate screen\n\n![Splunk installer SSL](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/10.png)\n\nEnsure **Local System** is selected for the account that Splunk Forwarder will be installed as\n\n![Splunk forwarder account](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/11.png)\n\nOn the following screen, select **Security Logs** and **Enable AD monitoring** and choose *Next*\n\n![Splunk monitoring options](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/12.png)\n\nEnter a username for the Splunk administrator account, and then either enter a password or let the installer generate a random password\n\n![Splunk admin user](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/13.png)\n\n**Leave the Deployment Server information empty**\n\nOn the **Receiving Indexer** screen, enter the IP address for SERVER01, and the port that you previously configured for the receiver on Splunk (should be 9997)\n\n![Splunk Receiving Indexer](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/14.png)\n\nReturn to SERVER01 (we're done on DC01 for now) and go back to Splunk. Click on *Splunk>Enterprise* at the top, and then choose *Search & Reporting* from the navigation bar\n\n![Search & Reporting](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/15.png)\n\nEnter the following search query in the search bar to verify you're receiving logs. Ensure you change the time frame on the right of the search bar to **All time**\n\n`index=* host=DC01`\n\n![Search](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/16.png)\n\nAfter a moment, you should see results returned. If you do not see any events after the search completes, go back and double check your configuration to ensure all settings are correct.\n\n**Step 3 - Install Splunk Forwarder on LINUX01 and configure to send logs to SERVER01:**\n\nUse Putty to SSH to the Linux server. Use the credentials for the Linux server listed in the lab information to connect.\n\nOnce connected via SSH, there are a few pre-requisites to complete before installing the forwarder:\n\n- Create a new user to be the owner for the installation:\n\n```bash\nsudo useradd -m splunk\n```\n\n- Create a variable to easily store the installation location:\n\n```bash\nexport SPLUNK_HOME=\"/opt/splunkforwarder\"\n```\n\n- Create the folder\n\n```bash\nsudo mkdir $SPLUNK_HOME\n```\n\n![Linux pre-reqs](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/17.png)\n\nWith the pre-requisites completed, we can install the forwarder now\n\n```bash\nsudo dpkg -i splunkforwarder-9.0.4-de405f4a7979-linux-2.6-amd64.deb\n```\n\n![Splunk Forwarder installation](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/18.png)\n\nNow that the forwarder is installed, change the ownership of the folder to the user we created earlier:\n\n```bash\nsudo chown splunk:splunk $SPLUNK_HOME -R\n```\n\nNow change directories into the **$SPLUNK_HOME/bin** directory. **The rest of the commands will not work if this step is not completed**\n\n```bash\ncd $SPLUNK_HOME/bin\n```\n\n![Change owner](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/19.png)\n\nStart the Splunk Forwarder (accepting the license agreement):\n\n```bash\nsudo ./splunk start --accept-license\n```\n\n![Starting Splunk](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/20.png)\n\nYou will be prompted to create a new administrator for this forwarder. Enter a username and password when prompted. **You will need this information again in a moment**\n\n![Creating User](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/21.png)\n\nThe fowarder will take a moment to start and then it will show it's completed startup:\n\n![Started](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/22.png)\n\nNext, we need to tell Splunk where to send its logs. Enter the following command to configure the forwarding. Enter the username/password you just created when prompted.\n\n```bash\nsudo ./splunk add forward-server 172.31.115.110:9997\n```\n\n![Configure Linux forwarder](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/23.png)\n\nNext, we need to tell Splunk what logs to monitor. In our case, we need to monitor the file **/var/log/auth.log**. Use the following command to configure this. If done within a few minutes of the last command, you should not be prompted for the username again.\n\n```bash\nsudo ./splunk add monitor /var/log/auth.log\n```\n\n![Add Splunk monitor](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/24.png)\n\nNow, for good measure, restart the Splunk Forwarder to ensure all the new settings are applied\n\n```bash\nsudo ./splunk restart\n```\n\n![Splunk forward restart](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/25.png)\n\nOnce the restart is complete (should only take a few seconds), return to the Splunk search console and repeat our previous search, but replacing the host with *linux01* this time.\n\n![Splunk search linux01](https://assets.ine.com/content/labs/ptp/BrianOlliff/VOD-4529/LAB-4740/26.png)\n\nNow that we have all of the logs being sent to the Splunk server, feel free to perform various searches to see what type of data we are capturing.\n\nWe'll perform additional analysis on these logs (and more) in the *Log Analysis* lab.", "solutions_html": "

Solutions

\n

Step 1 - Configure Splunk and SERVER01 to receive logs:

\n

Open Splunk from the desktop and navigate to Settings, then Forwarding and receiving

\n

\"Forwarding

\n

Click on Add new next to Configure receiving to add a new receiver. Enter port 9997 and click Save

\n

\"New

\n

\"New

\n

Next, open up Windows Firewall settings to allow traffic on port 9997 through the local firewall.

\n

Go to inbound rules and create a new rule

\n

\"New

\n

Choose the following options to create the rule:\n- Port\n- TCP, on port 9997 only\n- Allow the connection\n- Enable for all profiles\n- Name: Splunk Forwarder

\n

\"Firewall

\n

\"Firewall

\n

Step 2 - Install and configure the Splunk Forwarder on DC01:

\n

Open up RDP to connect to DC01. Use the Domain Admin credentials listed in the lab summary

\n

\"RDP\"

\n

Open up the Tools folder on the desktop of DC01 and launch the Splunk Forwarder installer

\n

\"Splunk

\n

Check the box at the top to accept the license agreement, and ensure that An on-premises Splunk Enterprise instance is selected, then choose Customize Options

\n

\"Splunk

\n

Accept the default installation location, and accept all the defaults on the SSL certificate screen

\n

\"Splunk

\n

Ensure Local System is selected for the account that Splunk Forwarder will be installed as

\n

\"Splunk

\n

On the following screen, select Security Logs and Enable AD monitoring and choose Next

\n

\"Splunk

\n

Enter a username for the Splunk administrator account, and then either enter a password or let the installer generate a random password

\n

\"Splunk

\n

Leave the Deployment Server information empty

\n

On the Receiving Indexer screen, enter the IP address for SERVER01, and the port that you previously configured for the receiver on Splunk (should be 9997)

\n

\"Splunk

\n

Return to SERVER01 (we're done on DC01 for now) and go back to Splunk. Click on Splunk>Enterprise at the top, and then choose Search & Reporting from the navigation bar

\n

\"Search

\n

Enter the following search query in the search bar to verify you're receiving logs. Ensure you change the time frame on the right of the search bar to All time

\n

index=* host=DC01

\n

\"Search\"

\n

After a moment, you should see results returned. If you do not see any events after the search completes, go back and double check your configuration to ensure all settings are correct.

\n

Step 3 - Install Splunk Forwarder on LINUX01 and configure to send logs to SERVER01:

\n

Use Putty to SSH to the Linux server. Use the credentials for the Linux server listed in the lab information to connect.

\n

Once connected via SSH, there are a few pre-requisites to complete before installing the forwarder:

\n\n
sudo useradd -m splunk
\n\n\n
export SPLUNK_HOME=\"/opt/splunkforwarder\"
\n\n\n
sudo mkdir $SPLUNK_HOME
\n\n

\"Linux

\n

With the pre-requisites completed, we can install the forwarder now

\n
sudo dpkg -i splunkforwarder-9.0.4-de405f4a7979-linux-2.6-amd64.deb
\n\n

\"Splunk

\n

Now that the forwarder is installed, change the ownership of the folder to the user we created earlier:

\n
sudo chown splunk:splunk $SPLUNK_HOME -R
\n\n

Now change directories into the $SPLUNK_HOME/bin directory. The rest of the commands will not work if this step is not completed

\n
cd $SPLUNK_HOME/bin
\n\n

\"Change

\n

Start the Splunk Forwarder (accepting the license agreement):

\n
sudo ./splunk start --accept-license
\n\n

\"Starting

\n

You will be prompted to create a new administrator for this forwarder. Enter a username and password when prompted. You will need this information again in a moment

\n

\"Creating

\n

The fowarder will take a moment to start and then it will show it's completed startup:

\n

\"Started\"

\n

Next, we need to tell Splunk where to send its logs. Enter the following command to configure the forwarding. Enter the username/password you just created when prompted.

\n
sudo ./splunk add forward-server 172.31.115.110:9997
\n\n

\"Configure

\n

Next, we need to tell Splunk what logs to monitor. In our case, we need to monitor the file /var/log/auth.log. Use the following command to configure this. If done within a few minutes of the last command, you should not be prompted for the username again.

\n
sudo ./splunk add monitor /var/log/auth.log
\n\n

\"Add

\n

Now, for good measure, restart the Splunk Forwarder to ensure all the new settings are applied

\n
sudo ./splunk restart
\n\n

\"Splunk

\n

Once the restart is complete (should only take a few seconds), return to the Splunk search console and repeat our previous search, but replacing the host with linux01 this time.

\n

\"Splunk

\n

Now that we have all of the logs being sent to the Splunk server, feel free to perform various searches to see what type of data we are capturing.

\n

We'll perform additional analysis on these logs (and more) in the Log Analysis lab.

", "flags": [], "min_points_to_pass": null, "access_type": "default", "user_status": "unstarted", "user_lab_status": null, "user_status_modified": null, "user_flags": [], "global_running_session": null }