{"id":20827660,"url":"https://github.com/bonifield/splunk_on_security_onion","last_synced_at":"2025-06-14T05:33:11.270Z","repository":{"id":212220886,"uuid":"204807122","full_name":"bonifield/splunk_on_security_onion","owner":"bonifield","description":"Splunk configs for Security Onion","archived":false,"fork":false,"pushed_at":"2023-12-13T05:50:03.000Z","size":419,"stargazers_count":6,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-18T17:56:54.618Z","etag":null,"topics":["bro","forwarder","onion","security","splunk","sysmon","zeek"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bonifield.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-08-27T23:22:39.000Z","updated_at":"2024-07-16T02:20:14.000Z","dependencies_parsed_at":null,"dependency_job_id":"4c8e4b86-168c-4380-88c2-502b7f4cfcd2","html_url":"https://github.com/bonifield/splunk_on_security_onion","commit_stats":null,"previous_names":["bonifield/splunk_on_security_onion"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2Fsplunk_on_security_onion","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2Fsplunk_on_security_onion/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2Fsplunk_on_security_onion/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2Fsplunk_on_security_onion/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bonifield","download_url":"https://codeload.github.com/bonifield/splunk_on_security_onion/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243175218,"owners_count":20248432,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bro","forwarder","onion","security","splunk","sysmon","zeek"],"created_at":"2024-11-17T23:12:38.264Z","updated_at":"2025-03-12T07:26:50.607Z","avatar_url":"https://github.com/bonifield.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Splunk on Security Onion\n\n### Updates\n- 24 June 2020\n\t- converted Bro terminology to Zeek where appropriate (configs and query examples)\n\t- added a list of basic Sysmon table queries\n- 12 May 2020\n\t- added a lookup table for [Windows System Error Codes](https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes); these are useful for things like Sysmon's Event Code 22 field \"QueryStatus\" or other places where error codes occur\n- 11 May 2020\n\t- updated the Sysmon config\n\t- updated Sysmon install notes below (notably the removal of \"-n\")\n- 29 Feb 2020\n\t- converted many evaluated fields to search-time extractions, added new fields, added new aliases, removed Splunk binaries from Sysmon (via config) and Security (via blacklists) logs, added winnetmon (Splunk binary) sourcetype to log all accepted inbound connections on a host\n- 11 Jan 2020\n\t- added several new Sysmon extractions, added Affected_* fields for Security event logs, minor additions for PowerShell and System logs\n\n### Objectives:\n- Manage logs with Splunk, versus the ELK stack built into Security Onion\n- Ingest Windows Application, Security, System, Sysmon, and Splunk monitoring logs via forwarding from remote hosts into Splunk on Security Onion\n- Centrally monitor home or small office networks, especially for the purposes of home lab penetration testing and post-analysis\n- Provide all necessary configuration files, and all necessary commands in a streamlined set of instructions\n\n### What This IS:\n- A manual, but streamlined, method of installing and configuring Splunk on a standalone instance of Security Onion to receive Zeek, Sysmon, and Windows Event logs (Application, Security, System), and select logs from the Splunk monitoring binaries\n\t- A series of very clear configuration files, and instructions on where to put them\n\t- A series of instructions that work across Debian-based Linux builds (Debian, Ubuntu, Security Onion, etc)\n- A fully functional project (note points below as to what is not yet included)\n- A pet project\n- A work in progress\n\n### What This IS NOT:\n- A perfect solution\n- ~~A solution that uses intermediate forwarders; this is one of many lab setups, though intermediate forwarders would greatly enhance the function, and security, of this project~~ Now, with Intermediate Forwarder configs!\n- Splunk Dashboards 101 (though a basic one is included in my helpers folder)\n- An application (sure, apps are easy, but they don't show me how or why they work)\n- A finished project (Snort and OSSEC parsers aren't included, nor even finished, as of this writing)\n- A Splunk license (use the free one for your home lab)\n- A series of instructions for RHEL/CentOS/Fedora/etc.  This is for Security Onion specifically, but it works just as well (identically) on Ubuntu.\n\n### Considerations:\n- The amount of storage you have available\n\t- Do you really need full PCAP for everything, or can you shorten how long files are saved?\n- The size of the network you are collecting from\n\t- Does your Security Onion have enough resources?\n\t\t- Zeek and Splunk may need to be tuned individually\n\t- Can you transport all of those logs across the network without impacting your business operations?\n- Log data relevance\n\t- The Sysmon configuration here is very wide open, moreso than the SwiftOnSecurity alpha config.\n\t\t- Do you want to make a wide-open anything-goes config?  Do you want even more restrictions?\n\t\t- Do you *need* specific logs, i.e. Application, certain Zeek logs, WinNetMon, etc?\n\n### If using Ubuntu and not Security Onion, this requires that Zeek (Bro) produce logs in JSON format, and the monitor paths be changed as necessary in the server's inputs.conf file.  Otherwise, all configurations should work exactly the same.\n\n### TODO\n- ...make an app?\n- Field modifications:  ~~CEF~~ Elastic Common Schema compliance and field name fixes, better extractions (index-time and search-time), MORE extractions/fixes as needed (there are definitely some I missed)\n- Split winsec, winapp, winsys into their own indexes, as opposed to all being rolled into winevt\n- Create scripts and/or GPOs to install the forwarders across a network\n- Utilize Splunk's ability to create new (non-default) certificates when deploying to hosts\n- Add hardening guide (unlikely)\n- ~~Intermediate forwarders (because the whole network does NOT need direct access to Security Onion...)~~\n- Repo for Win/Sysmon on ELK, the exact reverse of this project\n- Snort and OSSEC parsers (TAs are being updated though so maybe not)\n- Custom Python scripts that enrich the indexes, provide lookups, API calls, etc \n- Visual map of how these configs interact with each other\n- Automate and/or containerize\n\n## INSTRUCTIONS\n\n### On Security Onion\n- Install Security Onion, DO NOT ENABLE ELK WHEN PROMPTED DURING THE THIRD SETUP PHASE\n  - Make sure your storage capabilities are pretty solid, or just turn off full PCAP if it's not important to you\n- Install Splunk\n- Configure Splunk to start on boot (Ubuntu/systemd, other systems read [here](https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/ConfigureSplunktostartatboottime))\n```\nsudo dpkg -i [yoursplunkfile].deb\nsudo /opt/splunk/bin/splunk start\nsudo /opt/splunk/bin/splunk stop\nsudo /opt/splunk/bin/splunk enable boot-start -systemd-managed 1\nsudo /opt/splunk/bin/splunk start\n```\n- Log into the Splunk GUI, and configure the server to use HTTPS\n```\nSettings --\u003e Server Settings --\u003e General Settings --\u003e Enable SSL (HTTPS) in Splunk Web? --\u003e YES\n```\n- Log back into Splunk and create four new indexes: zeek, sysmon, winevt, splunkmon\n\t- Change other options as desired, but it's extremely unlikely you won't need to for a home/small business setting\n```\nSettings --\u003e Indexes --\u003e New Index --\u003e Index Name:  zeek --\u003e Save\n                         New Index --\u003e Index Name:  sysmon --\u003e Save\n                         New Index --\u003e Index Name:  winevt --\u003e Save\n                         New Index --\u003e Index Name:  splunkmon --\u003e Save\n```\n- Make the new indexes viewable on the homepage Data Summary and for any user account deemed necessary\n```\nSettings --\u003e Access Controls --\u003e Roles --\u003e [role] --\u003e Indexes tab --\u003e select the checkboxes in both Included and Default for desired index\n```\n- Add a Receiving Port for Splunk to ingest logs from other hosts\n```\nSplunk --\u003e Settings --\u003e Forwarding and receiving --\u003e Configure receiving --\u003e + Add New --\u003e 9997 --\u003e Save\n```\n- Configure UFW (firewall) to allow forwarded logs (from endpoints or Intermediate Forwarder, see below) to the Receiver\n```\nsudo ufw allow 8089/tcp\nsudo ufw allow 9997/tcp\nOR\nsudo ufw allow proto tcp from [host-ip] to [indexer-ip] port 8089\nsudo ufw allow proto tcp from [host-ip] to [indexer-ip] port 9997\n```\n- Place inputs.conf (the indexer version) on the indexer (Splunk server)\n\t- /opt/splunk/etc/system/local/inputs.conf\n- Place props.conf on the indexer\n\t- /opt/splunk/etc/system/local/props.conf\n- Place transforms.conf on the indexer\n\t- /opt/splunk/etc/system/local/transforms.conf\n\n## If you are going to use an Intermediate Forwarder to relay logs, vs allowing all of your hosts to directly access Security Onion, [read the instructions here](https://github.com/bonifield/splunk_on_security_onion/tree/master/intermediateforwarder-files), and don't forget to change your endpoint outputs.conf IP addresses to the Intermediate Forwarder.\n\n### On Endpoints\n- Place [sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) on the host, somewhere users don't have access to (NOT C:\\Users)\n- Place sysmon-config-sosalpha-JB-MODS.xml with sysmon, for sake of ease\n\t- This configuration is a derivative of the alpha config developed by [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)\n- Install Sysmon\n\t- or better yet, use a GPO\n\t- NOTE - in April 2020, the \"-n\" flag was deprecated; network logging can only be enabled via configuration ([source](https://twitter.com/CipherMonger/status/1257367319434715138))\n```\nsysmon.exe -i sysmon-config-sosalpha-JB-MODS.xml -accepteula\nOR over the network\n\\\\SysVol\\Or\\ServerName\\sysmon -i sysmon-config-sosalpha-JB-MODS.xml -accepteula\n```\n- Place the Universal Forwarder on the host and install it silently\n\t- Substitute INDEXER_IP_ADDRESS for your Splunk's network address\n\t- remove SERVICESTARTTYPE to make the forwarder automatically start after install, which is less optimal for scripts but convenient for single, step-by-step installs\n```\nmsiexec.exe /i [yoursplunkforwarder].msi RECEIVING_INDEXER=\"INDEXER_IP_ADDRESS:9997\" SERVICESTARTTYPE=manual AGREETOLICENSE=Yes /quiet\n```\n- Place inputs.conf (the endpoint version) on the host (don't forget that spaces in filepaths are lame...)\n\t- \"C:/Program Files/SplunkUniversalForwarder/etc/system/local/inputs.conf\"\n- Place outputs.conf (the endpoint version) on the host\n\t- \"C:/Program Files/SplunkUniversalForwarder/etc/system/local/outputs.conf\"\n\t\t- substitute IPs as necessary for your indexer\n- Configure the Forwarder to start automatically on boot, then start (or restart) the Forwarder\n```\nsc config SplunkForwarder start=auto\n\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe\" start\n```\n- Verify Splunk is both receiving logs from Windows endpoints, and indexing local Zeek (Bro) logs\n```\nSplunk homepage --\u003e Searching and Reporting --\u003e Data Summary --\u003e Sourcetypes\n```\n- Note: some people have reported that you may need to restart the endpoint forwarder\n```\n\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe\" restart\n```\n\n### Randoms\n- start/stop/restart Splunk\n```\nsudo /opt/splunk/bin/splunk start\nsudo /opt/splunk/bin/splunk stop\nsudo /opt/splunk/bin/splunk restart\n```\n- Clean old data in an index, and re-index all local files in any monitored folders\n\t- Typically if Zeek logs need to be purged because you forgot to convert output to JSON\n```\nsudo ./splunk stop\nsudo ./splunk list index\nsudo ./splunk clean eventdata -index _thefishbucket\nsudo ./splunk clean eventdata -index [index]\nsudo ./splunk start\n```\n- Force Splunk to recognize new changes to props.conf and/or transforms.conf\n\t- Try these things IN THIS ORDER\n```\nSearch Bar --\u003e type (yes with a leading pipe)\t| extract reload=T\nsudo /opt/splunk/bin/splunk restart\n```\n\n- Image = official term for a compiled binary file\n- Subject_* = the one performing the action in question; the account requesting a logon (service, user, etc) but NOT the actual account logging on\n- Affected_* = rollup of account names and security IDs that would be otherwise affected by the subject account (targets, new logons, etc).  Examples of affected accounts would be the actual user being logged on by SYSTEM (the subject), or a user account having a password reset.\n- Target_* and User_* = the one being acted upon by the Subject\n- New_Logon_* = the account for whom the new logon was created, i.e. the account logged on\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbonifield%2Fsplunk_on_security_onion","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbonifield%2Fsplunk_on_security_onion","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbonifield%2Fsplunk_on_security_onion/lists"}