{"id":22431949,"url":"https://github.com/dncrypter/splunk-siem-lab","last_synced_at":"2026-02-01T23:02:13.612Z","repository":{"id":260082902,"uuid":"880227532","full_name":"DNcrypter/Splunk-SIEM-Lab","owner":"DNcrypter","description":"Splunk is a powerful platform for searching, monitoring, and analyzing machine-generated big logs data in real-time. The Splunk Indexer processes incoming data, transforming it into searchable events, while the Forwarder collects and forwards log data to the Indexer for analysis.","archived":false,"fork":false,"pushed_at":"2024-10-29T11:07:00.000Z","size":135,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-16T12:52:51.022Z","etag":null,"topics":["siem","splunk-enterprise"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DNcrypter.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-29T10:58:27.000Z","updated_at":"2024-10-29T14:11:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"0e18e456-cb83-46dd-9c9e-034ad3dd18de","html_url":"https://github.com/DNcrypter/Splunk-SIEM-Lab","commit_stats":null,"previous_names":["dncrypter/splunk-siem-lab"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/DNcrypter/Splunk-SIEM-Lab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FSplunk-SIEM-Lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FSplunk-SIEM-Lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FSplunk-SIEM-Lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FSplunk-SIEM-Lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DNcrypter","download_url":"https://codeload.github.com/DNcrypter/Splunk-SIEM-Lab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FSplunk-SIEM-Lab/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28993744,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-01T22:01:47.507Z","status":"ssl_error","status_checked_at":"2026-02-01T21:58:37.335Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["siem","splunk-enterprise"],"created_at":"2024-12-05T22:09:55.871Z","updated_at":"2026-02-01T23:02:13.596Z","avatar_url":"https://github.com/DNcrypter.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Splunk-Home-Lab\n\nSplunk is a powerful platform for searching, monitoring, and analyzing machine-generated big logs data in real-time. The Splunk Indexer processes incoming data, transforming it into searchable events, while the Forwarder collects and forwards log data to the Indexer for analysis. Together, they provide comprehensive insights into your systems and applications.  \n\n[![MIT License](https://img.shields.io/badge/License-MIT-green.svg)](https://choosealicense.com/licenses/mit/)\n        [![LinkedIn](https://img.shields.io/badge/LinkedIn-Profile-blue)](https://www.linkedin.com/in/nikhil--chaudhari/)\n        [![Medium](https://img.shields.io/badge/Medium-Writeups-black)](https://medium.com/@nikhil-c)\n\n## 🍁Introduction\nThis lab is design to practice log analysis using universal forwarder and indexer. We will Install and Configure Splunk Indexer and Forwarder on Ubuntu linux machine.\n\n![](https://github.com/DNcrypter/Splunk-SIEM-Lab/blob/main/splunk_2.png)\n\n## 🔗Prerequisites\n- basic understanding of command-line\n- internet connectivity\n- familiar with linux system.\n\n## 📝Requirements:\n- Vmware\n- Ubuntu 22.04 installed on Virtual machine.\n\n## 👩🏻‍🔬🧪Lab set-up\n### ⚙️Splunk indexer installation:  \n\n**Step 1** : Register on splunk website. you can use tempmail service inplace of your mail_id. then, to download splunk enter below commands in your terminal.\n```\nwget -O splunk-9.3.1-0b8d769cb912-Linux-x86_64.tgz \"https://download.splunk.com/products/splunk/releases/9.3.1/linux/splunk-9.3.1-0b8d769cb912-Linux-x86_64.tgz\"\n\n```\n\n**Step 2** : Go to directory where you download splunk. Enter below command in terminal.\n```\nsudo tar -xvzf splunk-9.1.0-linux-64.tgz -C /opt\n```\n\n**Step 3** : run splunk by accepting license agreement.\n```\nsudo /opt/splunk/bin/splunk start --accept-license\n```\n\n**Step 4** : Press space button till reach bottom. Create your username and password. Go to http:localhost:8000/ and login.\n```\nhttp:localhost:8000/\n```\n\n\n\n### ⚙️Cofiguration and error handling:  \n\n**Step 1** : To access splunk from anywhere with your terminal create link using below command.\n```\nsudo ln -O /opt/splunk/bin/splunk /local/bin/splunk\n\n```\n**Step 2** : Now you are ready with splunk index. start splunk or stop splunk with below cammands.\n```\nsplunk start\nsplunk stop\n```\n\n**Step 3** : Enter login Credintials in login page of splunk on browser.\n```\nhttp:localhost:8000/\n```\n\n**Step 4** : After login, Setup listener in splunk indexer. Go to **setting \u003e forwarding and receiving\u003econfigure receiving** click on add new and enter port (9997) we will use further it to add in forwarder.\n\n### ⚙️Splunk Universal Forwarder installation:  \n\nWhile installing fowarder in same machine we have to be careful that it can create conflict. Yes, I stuck there with config problem for 2 hours. specially with error as $SPLUNK_HOME and $SPLUNK_ETC not define? ,etc.\n\n**Step 1** : Download splunk forwarder using command below or you can install from its website.\n```\nwget -O splunkforwarder-9.3.1-0b8d769cb912-Linux-x86_64.tgz \"https://download.splunk.com/products/universalforwarder/releases/9.3.1/linux/splunkforwarder-9.3.1-0b8d769cb912-Linux-x86_64.tgz\"\n\n```\n**Step 2** : unzip the tar file and move it to /opt directory.\n```\nsudo tar -xvzf splunkforwarder-9.3.1-0b8d769cb912-Linux-x86_64.tgz -C /opt\n\n```\n**Step 3** : Go to /opt/splunkforwarder/bin directory.\n```\ncd /opt/splunkforwarder/bin\n```\n\n**Step 4** : Start Splunk Forwarder and accept license agreement.\n```\nsudo /opt/splunkforwarder/bin/splunk start --accept-license\n\n```\n**Step 5** : Run splunk forwarder after every boot-start.\n```\n ./splunk enable boot-start\n ```\n**Step 6** : Now, we configure universal forwarder to send data to over receiving indexer. as i install both in same machine i used same ip you can use of splunk indexer.\n```\n./splunk add forward-server 127.0.0.1:9997\n\n```\n**Step 7** : After enter prompted with username and password enter there.\n```\n./splunk add monitor -auth username:password /var/log\n```\n**Note** : As i am using ubuntu linux i enter /var/log, you can change with your logs stores.\n\n### ⚙️Configuring and Error handling:\n\nWhile configuring forwarder specially in same machine you could face error like $SPLUNK_HOME and $SPLUNK_ETC variable on setup, etc\n\n**Tip** : while handling error try solve by searching on internet if not ,solved, then use chat-gpt that can solve problem. if you still face same problem again and again shutdown machine and restart after 5 minutes. Start again from first step. it worked for me.\n\nGo to splunk indexer app and enter to “search and reporting section \u003e\u003e Data Summary”.\n\nBhoom…💥🎉😎… You setup your splunk with full on live log analysis. whenver logs are update in your machine you can access and analyse it from splunk indexer.\n\n## 🚩Conclusion\nIntension of this lab is to learn how splunk enterprise system works and how we can configure \u0026 install them. I will show you how to analyse http_logs, DNS_logs, smtp_logs,etc in Next project.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdncrypter%2Fsplunk-siem-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdncrypter%2Fsplunk-siem-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdncrypter%2Fsplunk-siem-lab/lists"}