WWW.SIEMXPERT.

COM
mail us: [email protected]

SPLUNK
SIEM ADMINISTRATOR AND
SECURITY

WWW.SIEMXPERT.COM BY SULABH MISHRA

2

What SIEM is and how it fits into a SOC :

Security Information and Event Management (SIEM) is a software or hardware solution that
aggregates and analyses activity from many different resources across your entire IT
infrastructure.
SIEM collects security data from network devices, security devices, servers, domain
controllers, and more. SIEM stores, normalizes, aggregates, and applies analytics to that data
to discover trends, detect threats, and enable organizations to investigate any alerts

SIEM provides two primary capabilities to an Incident Response team:

1. It collect the logs from various data sources and keep it on a central log management
system and proving searching and reporting capabilities also provide long time retention
period
2. Real-time monitoring, Correlation and Alerting of security threats

At its core, SIEM is a data aggregator, search, and reporting system. SIEM gathers immense amounts
of data from your entire networked environment, consolidates and makes that data human accessible.
With the data categorized and laid out at your fingertips, you can research data security breaches
with as much detail as needed.

There are various SIEM tools are available in the Market like -

 Arcsight
 Splunk
 Qradar
 McAfee etc.

Depend on the pros and cons of any SIEM tool and how it fits to our enterprise network we select the
tool

Like Arcsight is very good in correlation and alerting while Splunk is very good in Analytics and
visualization while Qradar is good from simplicity perspective

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
3

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
4

Modern SOC :

Security Monitoring:

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
5

Splunk History
Splunk Inc. is an American public multinational corporation based in San Francisco, California

Michael Baum, Rob Das and Erik Swan co-founded Splunk Inc in 2003

What is Splunk?
Splunk is an advanced, scalable, and effective technology that indexes and searches log files stored in
a system. It analyses the machine-generated data to provide operational intelligence. The main
advantage of using Splunk is that it does not need any database to store its data, as it extensively
makes use of its indexes to store the data

Splunk is not only an SIEM tool but it can work more as an analytical tool and can receive the data
from any data source

To use Splunk as an SIEM tool we have to deploy Splunk Enterprise Security app over the Splunk

What is the Use of Splunk?

Splunk is a software technology which is used for monitoring, searching, analysing and visualizing the
machine generated data in real time. It can monitor and read different type of log files and stores
data as events in indexers. This tool allows you to visualize data in various forms of dashboards.

Splunk offers plenty of benefits for an organization. Some of the benefits of

using Splunk are

 Offers enhanced GUI and real-time visibility in a dashboard

 It reduces troubleshooting and resolving time by offering instant results.
 It is a best-suited tool for root cause analysis.v
 Splunk allows you to generate graphs, alerts, and dashboards.
 You can easily search and investigate specific results using Splunk.
 It allows you to troubleshoot any condition of failure for improved performance.
 Helps you to monitor any business metrics and make an informed decision.
 Splunk allows you to incorporate Artificial Intelligence into your data strategy.
 Allows you to gather useful Operational Intelligence from your machine data
 Summarizing and collecting valuable information from different logs
 Splunk allows you to accept any data type like .csv, json, log formats, etc.
 Offers most powerful search analysis, and visualization capabilities to empower users of all
types.
 Allows you to create a central repository for searching Splunk data from various sources.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
6

Splunk Products
Splunk is available in three different versions.

 Splunk Enterprise
 Splunk Light
 Splunk Cloud

Splunk Enterprise
Splunk Enterprise edition is used by large IT business. It helps you to gather and
analyse the data from applications, websites, network devices, security devices and
many more

Splunk Cloud
Splunk Cloud is a hosted platform. It has the same features as the enterprise
version. It can be availed from Splunk or using AWS cloud platform.

Splunk Light
Splunk Light is a free version. It allows search, report and alter your log data. It has
limited functionalities and feature compared to other versions.

Splunk Architecture

There are 3 main components in Splunk:

 Splunk Forwarder, used for data collecting and forwarding

 Splunk Indexer, used for Parsing and Indexing the data
 Search Head, is a GUI used for searching, analysing and reporting

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
7

Splunk Forwarder
Splunk Forwarder is the component which you have to use for collecting the logs. Suppose,
you want to collect logs from a remote machine, then you can accomplish that by using
Splunk’s remote forwarders which are independent of the main Splunk instance.

In fact, you can install several such forwarders in multiple machines, which will forward the
log data to a Splunk Indexer for processing and storage. What if you want to do real-time
analysis of the data? Splunk forwarders can be used for that purpose too. You can configure
the forwarders to send data to Splunk indexers in real-time. You can install them in multiple
systems and collect the data simultaneously from different machines in real time.

Compared to other traditional monitoring tools, Splunk Forwarder consumes very less cpu
~1-2%. You can scale them up to tens of thousands of remote systems easily, and collect
terabytes of data with minimal impact on performance.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
8

Types of Splunk Forwarders

 Universal Forwarder
 Heavy Forwarder

Universal Forwarder – You can opt for a universal forwarder if you want to forward the
raw data collected at the source. It is a simple component which performs minimal
processing on the incoming data streams before forwarding them to an indexer.

Data transfer is a major problem with almost every tool in the market. Since there is minimal
processing on the data before it is forwarded, lot of unnecessary data is also forwarded to
the indexer resulting in performance overheads.

Why go through the trouble of transferring all the data to the Indexers and then filter out
only the relevant data? Wouldn’t it be better to only send the relevant data to the Indexer
and save on bandwidth, time and money? This can be solved by using Heavy forwarders
which I have explained below.

Heavy Forwarder – You can use a Heavy forwarder and eliminate half your problems, because
one level of data processing happens antnt the source itself before forwarding data to the indexer.
Heavy Forwarder typically does parsing and indexing at the source and also intelligently routes the
data to the Indexer saving on bandwidth and storage space. So when a heavy forwarder parses the
data, the indexer only needs to handle the indexing segment.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
9

Splunk Indexer: Indexer is the Splunk component which you will have to use for
indexing and storing the data coming from the forwarder. Splunk instance transforms the incoming
data into events and stores it in indexes for performing search operations efficiently

If you are receiving the data from a Universal forwarder, then the indexer will first parse the
data and then index it. Parsing of data is done to eliminate the unwanted data. But, if you are
receiving the data from a Heavy forwarder, the indexer will only index the data.

As the Splunk instance indexes your data, it creates a number of files. These files contain one
of the below:
• Raw data in compressed form
• Indexes that point to raw data (index files, also referred to as tsidx files), plus some
metadata files

These files reside in sets of directories called buckets.

Let’s understand how Indexing works.
Splunk processes the incoming data to enable fast search and analysis. It enhances the
data in various ways like:

• Separating the data stream into individual, searchable events

• Creating or identifying timestamps

• Extracting fields such as host, source, and sourcetype

• Performing user-defined actions on the incoming data, such as identifying

custom fields, masking sensitive data, writing new or modified keys, applying
breaking rules for multi-line events, filtering unwanted events, and routing
events to specified indexes or servers
This indexing process is also known as event processing.
Another benefit with Splunk Indexer is data replication. You need not worry
about loss of data because Splunk keeps multiple copies of indexed data. This
process is called Index replication or Indexer clustering. This is achieved with the
help of an Indexer cluster, which is a group of indexers configured to replicate
each other’s’ data

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
10

Splunk Search Head:

Search head is the component used for interacting with Splunk. It provides a graphical user
interface to users for performing various operations. You can search and query the data
stored in the Indexer by entering search words and you will get the expected result
You can install the search head on separate servers or with other Splunk components on the
same server. There is no separate installation file for search head, you just have to enable
splunkweb service on the Splunk server to enable it.
A Splunk instance can function both as a search head and a search peer. A search head that
performs only searching, and not indexing is referred to as a dedicated search head. Whereas,
a search peer performs indexing and responds to search requests from other search heads.
In a Splunk instance, a search head can send search requests to a group of indexers, or search
peers, which perform the actual searches on their indexes. The search head then merges the
results and sends them back to the user. This is a faster technique to search data called
distributed searching.
Search head clusters are groups of search heads that coordinate the search activities. The
cluster coordinates the activity of the search heads, allocates jobs based on the current loads,
and ensures that all the search heads have access to the same set of knowledge objects.

How Splunk Works:

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
11

Look at the above image to understand the end to end working of Splunk. The images shows
a few remote Forwarders that send the data to the Indexers. Based on the data present in
the Indexer, you can use the Search Head to perform functions like searching, analysing,
visualizing and creating knowledge objects for Operational Intelligence.
The Management Console Host acts as a centralized configuration manager responsible for
distributing configurations, app updates and content updates to the Deployment Clients. The
Deployment Clients are Forwarders, Indexers and Search Heads.

Splunk Distributed Architecture

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
12

Types of distributed deployments

You can customize your Splunk Enterprise deployment in a wide variety of ways. There are,
however, some fundamental groupings into which most deployments fall. This topic discusses
some key characteristics and considerations for various types of deployments.

Key factors that determine the type of deployment

These are the main issues that determine the type and scale of your deployment:

 Indexing volume. How much data are planning to index on a daily basis? To handle
increased indexing loads, you might need multiple indexers.

 Number and type of searches. How frequently will you be running searches, either
scheduled or ad hoc? What type of searches will you be running? Large numbers of
searches, or frequent process-intensive searches, can tax both search head and indexer
resources.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
13

 Number of concurrent users. How many users will be viewing dashboards or running
searches concurrently? To handle increased numbers of users, you might need to add
search heads, usually through a search head cluster.

 Data fidelity requirements. If you must ensure that the system never loses data,
an indexer cluster is a necessity.

 Availability requirements. What requirements do you have for data availability? If you
must always have access to the full set of data, you might need to deploy both an indexer
cluster and a search head cluster.

 Disaster recovery requirements. How important is fast disaster recovery? A multisite

indexer cluster can ensure fast failover to identical sets of data across geographically
dispersed data centers.
Other considerations can also enter into your overall deployment plans, such as security
requirements and the location of the data

Representative deployment types

These are some of the main types of deployments, based on size:

 Departmental. A single instance that combines indexing and search management

functions.
 Small enterprise. One search head with two or three indexers.
 Medium enterprise. A small search head cluster, with several indexers.
 Large enterprise. A large search head cluster, with large numbers of indexers.
These deployment types are just points on a continuous scale, ranging from single-instance
deployments to deployments that provide enterprise-wide coverage for a vast number of use
cases.
In addition, you can deploy an indexer cluster in an enterprise deployment of any size. An
indexer cluster offers advantages such as high availability, disaster recovery, and simplified
scaling.
It is also possible to combine topologies in various ways. For example, you can deploy a
search head that searches across both an indexer cluster and a set of independent indexers.
Note: The terms "small enterprise," "medium enterprise," and so on, do not specifically
address the size of the enterprise using the Splunk platform. Instead, they are indicators of
the breadth and depth of the functions that the Splunk platform supports in the enterprise.
As awareness of the value of the Splunk platform for handling a wide range of use cases
grows with continued success, the size of a deployment also typically grows. So, for example,
a Fortune 500 company might start with a departmental-level, single-instance Splunk
Enterprise installation for a very specific use case, and then, over time, transition through
small enterprise and medium enterprise deployments, to eventually adopt a large enterprise
deployment that provides key value to organizations and use cases distributed throughout
the company.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
14

Primary characteristics of deployments at representative

scaling levels
The characteristics of a deployment change as it grows in size. This table gives you some idea of what to
expect, with information on the Splunk components that you need to deploy to meet your needs.

Departmental Small Medium Large

enterprise enterprise enterprise

Indexing volume (daily) 0-20GB 20-100GB 100-300GB 300GB-1TB+

# of forwarders Median < 10; Median in the Median in the 10's; Median in the
maximum 100 10's; maximum maximum in the 10's; maximum in
in the 100's low 1000's the 1000's

# of users Median < 10 Median in the Median in the 10's; Median in the
10's maximum in the 10's; maximum
low 100's 500+

# of apps (pre-packaged 1-10 1-10 1-20+ 10-50

and customer-
developed, combined)

Indexing tier 1 indexer 2-3 indexers, 4-9 indexers, 10+ indexers,

possibly in a possibly in a cluster possibly in a
cluster cluster

Search management Combined with 1 standalone 3 search heads in a 3+ search heads

tier indexer search head cluster in a cluster

Configuration Manual Manual Deployment server Deployment

management function configuration configuration or or 3rd party tool server or 3rd
or deployment deployment for forwarders and party tool for
server server indexers. Deployer forwarders and
for search head indexers.
cluster. Deployer for
search head
cluster.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
15

Path to discovery
To determine your deployment topology, you must identify the components and their relationships.
Discovery involves these steps:

1. Locate your Splunk Enterprise and universal forwarder instances.

Determine which machines contain instances of your deployment. Although it is possible for a
single machine to host multiple instances, such a configuration is unusual except in test
environments. In production environments, each Splunk Enterprise instance usually resides on
its own machine.
2. Identify your components.

For each instance, identify the components that it hosts. Components define the roles that the
instances play in the deployment. A single instance can host multiple components.
3. Identify the relationships between components.

Determine how the components participate in the overall deployment topology.

It can be helpful to draw a diagram of your deployment, as you go about the discovery process. See Draw a
diagram of your deployment.

Locate your Splunk Enterprise and universal forwarder instances

The first step is to locate the Splunk Enterprise and universal forwarder instances on your machines. Note
these points:

 All components run on Splunk Enterprise instances, except for the universal forwarder. The universal
forwarder is a lightweight version of Splunk Enterprise with its own executable.
 Splunk Enterprise instances usually reside on dedicated machines, as a best practice. However, you
might discover an instance running on a machine that is also performing some entirely different
function.
 Universal forwarder instances usually reside on machines that host other applications, such as web
servers. The forwarders ingest data produced by those applications.
 A single machine can host multiple instances, although the best practice is for each instance to reside
on its own machine.
 The absence of Splunk Web, the Splunk graphical user interface, is not a reliable indicator that the
machine does not host a Splunk Enterprise instance. On most deployments, only a subset of Splunk
Enterprise instances, such as search heads and some management components, have a running web
interface.
You can identify machines hosting Splunk Enterprise and universal forwarder instances by looking for the
presence of Splunk subdirectories on the machines' file systems.
Splunk documentation refers to the base directory for the Splunk file system as $SPLUNK_HOME .
Instances typically reside under these locations on a file system:
Caution: This table shows default or typical locations for $SPLUNK_HOME . However, the installation process
permits the user to install to any location and to change the name of the base directory.

Operating system Locations for Splunk Enterprise $SPLUNK_HOME Locations for universal forwarder
$SPLUNK_HOME

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
16

Windows \Program Files\Splunk \Program

Files\SplunkUniversalForwarder

C:\Splunk C:\SplunkUniversalForwarder
C:\SPL
Linux /opt/splunk /opt/splunkforwarder
Solaris
AIX
HP-UX
FreeBSD
Mac OS X /Applications/splunk /Applications/splunkforwarder

Therefore, if you cannot immediately identify $SPLUNK_HOME , look for a directory that contains a set of
Splunk subdirectories. These subdirectories include bin, etc, include, lib, openssl, share , and var.
You can also verify that the machine hosts $SPLUNK_HOME by looking for a bin subdirectory that contains
the splunk, splunkd , and btool executables, among others. The parent of that bin subdirectory
is $SPLUNK_HOME .
Once you identify a machine with an installed instance, confirm that the instance is currently running. Use
a system tool such as ps or Task Manager to look for the splunkd process.

Identify your components

You can identify your components with either of these methods:

 Use the monitoring console.

 Examine each instance's configuration files.
If your Splunk Enterprise deployment has a monitoring console running, use it to discover the components
and their relationships. See Use the monitoring console to determine your topology.
If your Splunk Enterprise deployment does not have a monitoring console, you must examine each
instance's configurations. Browse its set of configuration files, which are text files that hold all of the
instance's configurations. See Examine configuration files to determine your topology.
See Splunk Enterprise components.

Identify the relationships between components

When you know the components, the relationships between them are usually apparent. For example, if
you have a search head and three indexers in a non-clustered environment, each indexer is a search
peer of the search head, meaning that the indexer processes search requests for the search head. Similarly,
if you find that you have components of an indexer cluster, then your deployment contains an indexer
cluster.
If your deployment has a monitoring console, you can use it to identify the relationships, as well as the
components themselves.
Your deployment topology will usually fall into one of these broad categories:

 Basic distributed search

 Indexer cluster

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
17

 Search head cluster

 Combined indexer cluster and search head cluster
See Common deployment topologies.

Summary of component types

This summary outlines the main points to keep in mind as you perform the component discovery process.
A Splunk Enterprise deployment consists of instances that function as processing and management
components. A deployment usually contains only a subset of possible component types. In the discovery
process, you identify the components that reside on each instance.
An instance ordinarily hosts at most a single processing component, although a processing component can
also perform a secondary processing function. For example, some search heads forwards their internal
data to indexers. The forwarding function on a search head is strictly secondary to its main function,
however, as the forwarding involves internal data only.
Management components are frequently co-located on an instance with a processing component or other
management components.
Some of the processing component types have variants. For example, an indexer can be independent or a
peer node of an indexer cluster.
These are the processing components and their variants:

 Search head, which can be any of these types:

o Independent search head
o A search head node of an indexer cluster
o A member of a search head cluster
o A search head node of an indexer cluster and a member of a search head cluster
o A member of a search head pool
 Indexer, which can be any of these types:
o Independent indexer
o A peer node of an indexer cluster
 Forwarder, which can be any of these types:
o Universal forwarders
o Heavy forwarders
o Light forwarders
o Intermediate forwarders (secondary characteristic for any type of forwarder)
These are the management components:

 Monitoring console
 Deployment server
 License master
 Indexer cluster mas+ter
 Search head cluster deployed

Splunk Port Matrix

SPLUNK SIEM CONTACT: +91 9172620286
WWW.SIEMXPERT.COM BY SULABH MISHRA
18

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
19

Component Purpose Communicates on Listens on

All components* Management / REST API N/A TCP/8089

Search head / Indexer Splunk Web access Any TCP/8000

Search head App Key Value Store Any TCP/8065,

TCP/8191

Indexer Receiving data from N/A TCP/9997

forwarders
Indexer cluster peer node / Cluster replication N/A TCP/9887
Search head cluster member

Indexer/Forwarder Network input (syslog) N/A UDP/514

Splunk Supported Operating Systems

The following tables list the available computing platforms for Splunk Enterprise. The first table lists
availability for *nix operating systems and the second lists availability for Windows operating systems.
Each table shows available computing platforms (operating system and architecture) and types of Splunk
software. A bold X in a box that intersects the computing platform and Splunk software type you want
means that Splunk software is available for that platform and type.
An empty box means that Splunk software is not available for that platform and type.
If you do not see the operating system or architecture that you are looking for in the list, the software is
not available for that platform or architecture. This might mean that Splunk has ended support for that
platform. See the list of deprecated and removed computing platforms in Deprecated Features in
the Release Notes.
Some boxes contain characters other than a bold X. See the bottom of each table to learn what the
characters mean and how that could affect your installation.

Confirm support for your computing platform

1. Find the operating system on which you want to install Splunk Enterprise in the Operating
system column.
2. Find the computing architecture in the Architecture column that matches your environment.
3. Find the type of Splunk software that you want to use: Splunk Enterprise, Splunk Free, Splunk
Trial, or Splunk Universal Forwarder.
4. If Splunk software is available for the computing platform and software type that you want,
proceed to the download page to get it.

Unix operating systems

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
20

Operating system Architecture Enterprise Free License Trial License Universal

License Forwarder
package
Linux, all 3.x and 4.x kernel versions x86 (64-bit) X X X X
Linux, all 2.6 kernel versions x86 (64-bit) D D D X
macOS 10.14 Intel X X X
macOS 10.13 Intel D D D
PowerLinux, Little Endian kernel version 2.6 PowerPC X
and higher

FreeBSD 11 x86 (64-bit) X

Solaris 11 x86 (64-bit) X
SPARC X
AIX 7.1 and 7.2 PowerPC X
ARM Linux ARM A
z/Linux, kernel version 2.6 and higher s390x X

Windows operating systems

Operating system Architecture Enterprise Free License Trial License Universal

License Forwarder
package

Windows Server 2016 and x86 (64-bit) X X X X

Server 2019 (all installation
options)
Windows 10 x86 (64-bit) X X X

x86 (32-bit) *** *** X

X: Bold X in a box that intersects the computing platform and Splunk software type you want means that
Splunk software is available for that platform and type.
A: The software for this platform is available for download from splunk.com, but there is no official
support for the platform.
D: Splunk supports this platform and architecture but might remove support in a future release.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
21

Recommended hardware capacity for Splunk Enterprise

Platform Recommended hardware capacity/configuration

Non-Windows platforms 2x six-core, 2+ GHz CPU, 12GB RAM, Redundant Array of

Independent Disks (RAID) 0 or 1+0, with a 64 bit OS installed.
Windows platforms 2x six-core, 2+ GHz CPU, 12GB RAM, RAID 0 or 1+0, with a 64-bit OS
installed.

Recommended hardware capacity for Universal Forwarder

Recommended Dual-core 1.5GHz+ processor, 1GB+ RAM
Minimum 1.0Ghz processor, 512MB RAM, 5GB of free disk
space

Version History
Splunk Enterprise / Splunk Analytics for Hadoop / Splunk Light*

Version Release Date End of Support End of Support Criteria

Date
6 Oct 1 2013 Oct 22 2019 Splunk Enterprise 8.0
Release
6.1 May 6 2014 Oct 22 2019 Splunk Enterprise 8.0
Release
6.2 Oct 7 2014 Oct 22 2019 Splunk Enterprise 8.0
Release
6.3 Sept 22 2015 Oct 22 2019 Splunk Enterprise 8.0
Release
6.4 Apr 5 2016 Oct 22 2019 Splunk Enterprise 8.0
Release
6.5 Sept 27 2016 Oct 22 2019 Splunk Enterprise 8.0
Release
6.6** May 2 2017 Oct 22 2019 Splunk Enterprise 8.0
Release
7.0** Sept 26 2017 Sept 26 2019 24 Months

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
22

7.1 Apr 24 2018 Apr 24 2020 24 Months

7.2 Oct 2 2018 Oct 2 2020 24 Months

7.3 June 4 2019 June 4 2021 24 Months

8 Oct 22 2019 Oct 22 2021 24 Months

Splunk Universal Forwarder

Version Release Date End of Support End of Support Criteria
Date
6 Oct 1 2013 Oct 22 2019 Splunk Enterprise 8.0
Release
6.1 May 6 2014 Oct 22 2019 Splunk Enterprise 8.0
Release
6.2 Oct 7 2014 Oct 22 2019 Splunk Enterprise 8.0
Release
6.3 Sept 22 2015 Oct 22 2019 Splunk Enterprise 8.0
Release
6.4 Apr 5 2016 Oct 22 2019 Splunk Enterprise 8.0
Release
6.5 Sept 27 2016 Oct 22 2019 Splunk Enterprise 8.0
Release
6.6 May 2nd 2017 Oct 22 2019 Splunk Enterprise 8.0
Release
7 Sept 26 2017 Oct 22 2019 24 Months

7.1 April 24 2018 April 24 2020 24 Months

7.2 Oct 2 2018 Oct 2 2020 24 Months

7.3 June 4 2019 June 4 2021 24 Months

8 Oct 22 2019 Oct 22 2021 24 Months

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
23

**********Installation Of Splunk*********
When you set up and begin using your Splunk Enterprise installation or upgrade, perform some additional
steps to ensure that Splunk Enterprise and your data are secure. Taking the proper steps to secure Splunk
Enterprise reduces its attack surface and mitigates the risk and impact of most vulnerabilities.
This section highlights some of the ways that you can secure Splunk Enterprise before, during, and after
installation.
Before you install Splunk Enterprise, make your operating system secure. Harden all Splunk Enterprise
server operating systems.

 If your organization does not have internal hardening standards.

 At a minimum, limit shell and command-line access to your Splunk Enterprise servers.
 Secure physical access to all Splunk Enterprise servers.
 Ensure that Splunk Enterprise end users practice physical and endpoint security.

Splunk can be installed on below operating Systems

 Windows
 Linux

Installing Splunk on Windows:

Choose the Windows user Splunk Enterprise should run as

When you install Splunk Enterprise on Windows, the software lets you select the Windows user that it
should run as.

The user you choose depends on what you want Splunk Enterprise to monitor
The user that Splunk Enterprise runs as determines what Splunk Enterprise can monitor. The Local System
user has access to all data on the local machine by default, but nothing else. A user other than Local
System has access to whatever data you want, but you must give the user that access before you install
Splunk Enterprise.

About the Local System user and other user choices

The Windows Splunk Enterprise installer provides two ways to install it:

 As the Local System user

 As another existing user on your Windows computer or network, which you designate

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
24

To do any of the following actions with Splunk Enterprise, you must install it as a domain user:

 Read Event Logs remotely

 Collect performance counters remotely
 Read network shares for log files
 Access the Active Directory schema using Active Directory monitoring
The user that you specify must meet the following requirements. If the user does not satisfy these
requirements, Splunk Enterprise installation might fail. Even if installation succeeds, Splunk Enterprise
might not run correctly, or at all.

 Be a member of the Active Directory domain or forest that you want to monitor (when using AD)
 Be a member of the local Administrators group on the server on which you install Splunk Enterprise
 Be assigned specific user security rights
If you are not sure which user Splunk Enterprise should run as, then see Considerations for deciding how
to monitor remote Windows data in the Getting Data In manual for information on how to configure the
Splunk Enterprise user with the access it needs.

Note: The Splunk Enterprise indexing subsystem requires high disk throughput. Any software with a
device driver that intermediates between Splunk Enterprise and the operating system can restrict
processing power available to Splunk Enterprise, causing slowness and even an unresponsive system. This
includes anti-virus software.
You must configure such software to avoid on-access scanning of Splunk Enterprise installation directories
and processes before you start a Splunk installation.

Install Splunk Enterprise via the GUI installer

The Windows installer is an MSI file.

Begin the installation

1. Download the Splunk installer from the Splunk download page.
2. To start the installer, double-click the splunk.msi file. The installer runs and displays the Splunk
Enterprise Installer panel.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
25

3. To continue the installation, check the "Check this box to accept the License Agreement"
checkbox. This activates the "Customize Installation" and "Next" buttons.
4. (Optional) If you want to view the license agreement, click View License Agreement.

Installation Options
The Windows installer gives you two choices: Install with the default installation settings, or configure all
settings prior to installing.
When you choose to install with the default settings, the installer does the following:

 Installs Splunk Enterprise in \Program Files\Splunk on the drive that booted your Windows machine.
 Installs Splunk Enterprise with the default management and Web network ports.
 Configures Splunk Enterprise to run as the Local System user.
 Prompts you to create a Splunk administrator password. You must do this before installation can
continue.
 Creates a Start Menu shortcut for the software.
If you want to change any of these default installation settings, click Customize Options and proceed with
the instructions in "Customize Options" in this topic.
Otherwise, click Next. You will be prompted for a password for the Splunk admin user. After you supply a
password, installation begins and you can continue with the "Complete the install" instructions later in this
topic.

Customize options during the installation

You can customize several options during the installation. When you choose to customize options, the
installer displays the "Install Splunk Enterprise to" panel.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
26

By default, the installer puts Splunk Enterprise into \Program Files\Splunk on the system drive. This
documentation set refers to the Splunk Enterprise installation directory
as $SPLUNK_HOME or %SPLUNK_HOME% .
Splunk Enterprise installs and runs two Windows services, splunkd and splunkweb . The splunkd service
handles all Splunk Enterprise operations, and the splunkweb service installs to run only in legacy mode.
These services install and run as the user you specify on the "Choose the user Splunk Enterprise should run
as" panel. You can choose to run Splunk Enterprise as the Local System user, or another user.
When the installer asks you the user that you want to install Splunk Enterprise as, you must specify the
user name in domain\username format. The user must be a valid user in your security context, and must be
an active member of an Active Directory domain. Splunk Enterprise must run under either the Local
System account or a valid user account with a valid password and local administrator privileges. Failure to
include the domain name with the user will cause the installation to fail.

1. Click Change… to specify a different location to install Splunk Enterprise, or click Next to accept
the default value. The installer displays the "Choose the user Splunk Enterprise should run as"
panel.

2. Select a user type and click Next.

3. If you selected the Local System user, proceed to Step 5. Otherwise, the installer displays
the Logon Information: specify a username and password panel.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
27

4. Enter the Windows credentials that Splunk Enterprise uses to run on the machine and
click Next.

These credentials are different from the Splunk administrator credentials that you create in the
next step.

5. Create credentials for the Splunk administrator user by entering a username and password that
meets the minimum eligibility requirements as shown in the panel and click Next.

You must perform this action as the installation cannot proceed without your completing it. If
you do not enter a username, the installer creates the admin user during the installation
process.

6. The installer displays the installation summary panel.

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA
28

7. Click "Install" to proceed with the installation.

Complete the installation

The installer runs, installs the software, and displays the Installation Complete panel.

If you specified the wrong user during the installation procedure, you will see two pop-up error windows
explaining this. If this occurs, Splunk Enterprise installs itself as the Local System user by default. Splunk
Enterprise does not start automatically in this situation. You can proceed through the final panel of the
installation, but uncheck the "Launch browser with Splunk" checkbox to prevent your browser from
launching. Then, use these instructions to switch to the correct user before starting Splunk.

1. (Optional) Check the boxes to Launch browser with Splunk and Create Start Menu Shortcut.
2. Click Finish. The installation completes, Splunk Enterprise starts and launches in a supported
browser if you checked the appropriate box
Now to access the Splunk from browser type https://localhost:8000 if you are access the Splunk from any
other system enter the IP address and port number on the browser, let say if Splunk IP is 192.168.0.24
then you can access the Splunk by typing https://192.168.024:8000

SPLUNK SIEM CONTACT: +91 9172620286

WWW.SIEMXPERT.COM BY SULABH MISHRA