Setup SIEM @ Home with Splunk & Security Onion

Published: May 2, 2020

In this article, I’ll go over installing Splunk on-top of Security Onion, which we installed in my last post: Setup HomeIDS. I don’t recommend installing your log management system on the same machine as your IDS in production, but it’s great for easy analysis, development or a POC.

First thing is to download Splunk Enterprise. At the time of writing, the Security Onion Splunk app is incompatible with the latest Splunk version (8.0.3), so we’ll be downloading Splunk Enterprise version 7.3.5

Goto the following link (you’ll need an account) to click on “Older Releases”
https://www.splunk.com/en_us/download/splunk-enterprise.html

Scroll down and click Linux x86_64

Then click the 7.3.5 deb package to download

The file will download automatically. You’ll need to transfer it over to your Security Onion VM, or use the wget command(highlighted) inside the VM.

I’ll use wget inside the Security Onion VM. Open a terminal and copy-paste the command. If you can’t copy paste, check your virtual machines clipboard properties

Issue a “sudo dpkg -I splunk-7.3.5-xxx”

Then issue “sudo /opt/splunk/bin/splunk start –accept-license” to get splunk installed

Enter a splunk username and password. I recommend using “admin” for username, as some older apps rely on this

Now splunk is installed! 

Now we need to make sure Splunk boots up at start

Now we can browse to Splunk from within the Security Onion VM, or we can browse to Splunk from our Host machine (since network is configured to bridge to our internal LAN).

To do this, we need to open up port 8000 in the security onion firewall. We’ll do this with “sudo ufw allow 8000”

From my Host computer I can now browse to Splunk.
http://<seconion-ip>:8000
Put in the admin username and password we configured during setup

We’re in

Now we have to download and install the Security Onion App for Splunk, and the apps it require. You can download each app at the following URLs:

Security Onion App:
https://splunkbase.splunk.com/app/972/

Sideview Utils:
https://splunkbase.splunk.com/app/1486/

OSSEC:
https://splunkbase.splunk.com/app/2808

Geo Lookup:
https://splunkbase.splunk.com/app/291/

Google Maps:
https://splunkbase.splunk.com/app/368/

Viz App:
https://splunkbase.splunk.com/app/581/

Once you download these app, click on the cog in the Splunk Home dashboard

Then click “Install app from file”

Click “choose file”

Click on one of the files and repeat this process until they are all installed. Splunk will ask if you want to restart. You can wait until you install the last app to do this

I’ll show one for example. Installing the go-location app. I typically click upgrade app, but with Splunk 8, and new compatibility issues, this might not always be wise. Then I click “Upload”

Here’s the restart Splunk screen. Click “restart later” until you’ve installed the last app. Then click “Restart Now”

Once Splunk restarts, login

Here’s the list of visable apps after they are all installed. You can click on the cog again to confirm they are all installed.

Before The Security Onion App will display any snort alerts, we have to make a change to a config file on the Security Onion VM.

Change debug from 1 to 2 in the file: /etc/nsm/securityonion/sguild.conf

Restart nsm services for changes to take effect

Sudo nsm_serer_ps-restart

Now run through the same alert generating exercise we ran in the last post. Open up an incognito browser, and browse to testmyids.com

Check the Security Onion app for the ROOT id snort alert

If you see anything populate the sguil panel, then you’re good!

You should also see the returned root signature in “Events of Interest”

You can now click down into the event and see more info. You can also take actions against the field values

Splunk is now installed on Security Onion and successfully ingesting alerts and bro logs! Take some time to click through each of the dashboard to find events of interest. Not everything populates 100%, and may need some messaging for your additional data sets.