IR 301: Installing Splunk on a Windows Server (15 pts)

What You Need for this Project

A Windows Server, local or in the cloud

Purpose

Splunk is a security tool that aggregates log data from applications, servers, and network devices. In this project, we'll use it to examine the activity on a single Windows machine.

Installing Firefox

You need Firefox to download Splunk. On your Windows server's desktop, in Internet Explorer, go to

https://getfirefox.com

Download and install Firefox.

Intalling Splunk

Download the appropriate installer for your operating system:

Install the software as usual.

During the installation, you will be prompted to select a username and password, as shown below.

Use these values:

Username: admin
Password: P@ssw0rd

If you are running Windows 11 on ARM, three error messages will pop up during installation. Just ignore them and close them.

Starting Splunk

After Splunk installs, a Web browser opens with the Splunk "First time signing in?" page, as shown below.

A box pops up asking you to help make Splunk better. Close it to show the "Explore Splunk Enterprise" page, as shown below.

Adding Data Sources

In the Splunk page, click "Add Data".

If a box pops up offering you a tour, click Skip.

The "Add data" page opens, as shown below.

In the bottom center, click Monitor.

If a "Help us improve Splunk software" box pops up, click Skip.

On the left side, click "Local Performance Monitoring".

In the right pane of the page, make these selections, as shown below:

Collection name: CPU
Available objects: Processor information
Selected counters: % Processor Time
Selected instances: _Total
Polling interval: 10

At the top of the page, click the green Next button.

At the top of the page, click the green Review button.

At the top of the page, click the green Submit button.

A page appears saying "Local performance monitoring input has been created successfully" as shown below.

Click "Add more data".

Click Monitor.

On the left side, click "Local Event Logs".

In the right pane, select these three logs, as shown below:

Application
System
Security

At the top of the page, click the green Next button.

At the top of the page, click the green Review button.

At the top of the page, click the green Submit button.

Searching the Data for "splunk"

Click "Start searching".

A box appears, offering you a tour, as shown below. Click Skip.

Click the green magnifying-glass icon on the top right.

Splunk shows some log entries from your system, as shown below.

In the "New Search" page, enter a search string of splunk as shown below.

At the top right, click the magnifying glass to perform the search.

Events about splunk appear, as shown below.

On the left side, in the "SELECTED FIELDS" list, click sourcetype.

Flag IR 301.1: First Event (15 pts)
In the Search bar, enter:
sourcetype="Perfmon:CPU"
The flag is covered by a green rectangle in the image below.

Updated 8-19-19 for Google Cloud
Password recommendations added 8-28-19
Flag instructions improved 6-14-2020
Cloud references and Splunk sign-in removed 3-23-24
Windows 11 on ARM note added, flag instructions updated 11-14-25