IR 301: Installing Splunk on a Windows Cloud Server (15 pts)

What You Need for this Project

Purpose

Splunk is a security tool that aggregates log data from applications, servers, and network devices. In this project, we'll use it to examine the activity on a single Windows machine.

Installing Firefox

You need Firefox to download Splunk. On your Windows server's desktop, in Internet Explorer, go to

https://getfirefox.com

Download and install Firefox.

Dowloading Splunk

On your Windows server's desktop, in Firefox, go to https://www.splunk.com

At the top right, click the green "Free Splunk" button, as shown below.

On the next page, as shown below, log in to your Splunk account, or create a new account.

In the "Splunk Enterprise" section, as shown below, click the green "Download Free 60-Day Trial" link.

On the next page, in the "Windows" line, click the green "Download Now" button, as shown below.

Accept the agreement. Download and install Splunk with the default options.

You will need to choose a username and password for Splunk management. Note the values you choose--you will need them later.

Starting Splunk

After Splunk installs, a Web browser opens with the Splunk "First time signing in?" page, as shown below.

Log in with the username and password you chose during installation.

A box pops up asking you to help make Splunk better. Close it to show the "Explore Splunk Enterprise" page, as shown below.

Adding Data Sources

In the Splunk page, click "Add Data".

If a box pops up offering you a tour, click Skip.

The "Add data" page opens, as shown below.

In the bottom center, click Monitor.

If a "Help us improve Splunk software" box pops up, click Skip.

On the left side, click "Local Performance Monitoring".

In the right pane of the page, make these selections, as shown below:

At the top of the page, click the green Next button.

At the top of the page, click the green Review button.

At the top of the page, click the green Submit button.

A page appears saying "Local performance monitoring input has been created successfully" as shown below.

Click "Add more data".

Click Monitor.

On the left side, click "Local Event Logs".

In the right pane, select these three logs, as shown below:

At the top of the page, click the green Next button.

At the top of the page, click the green Review button.

At the top of the page, click the green Submit button.

Searching the Data for "splunk"

Click "Start searching".

A box appears, offering you a tour, as shown below. Click Skip.

Click the green magnifying-glass icon on the top right.

Splunk shows some log entries from your system, as shown below.

In the "New Search" page, enter a search string of splunk as shown below.

At the top right, click the magnifying glass to perform the search.

Events about splunk appear, as shown below.

On the left side, in the "SELECTED FIELDS" list, click sourcetype.


Flag IR 301.1: First Event (15 pts)

In the sourcetype box, click WinEventLog:System.

Scroll down to the first event, as shown below. Find the text covered by a green box in the image below. That's the flag.


Updated 8-19-19 for Google Cloud