Installation

Which Vulnerable target should I install to Splunk Forwarder?

Mc_Guard
Explorer

Hello everyone. I installed Splunk Enterprise free edition on the Ubuntu machine. I want to install splunk forwarder on a vulnerable machine and deploy it to the Ubuntu machine. I want to attack the vulnerable machine over Kali linux and examine the logs falling to Splunk. Can you help me which vulnerable machine I can install Splunk Forwarder. 

Labels (2)
0 Karma
1 Solution

Gr0und_Z3r0
Contributor

Hi @Mc_Guard ,

In addition to what @richgalloway mentioned. Splunk will just be a tool to collect logs from any source that generates machine data. In terms of identifying machines for attacks and identifying and doing your pentest, I would recommend getting the images of vulnerable images from https://www.vulnhub.com/.

Please be sure on how and what you'll be doing it on and ensure you run these images in a sandboxed environment. You'll need to bake these images with Splunk Universal Forwarder depending on the OS type and configure the route to successfully send the event logs into your Splunk instance. 

Another thing to note, you'll need to know what kind of attack you'll be performing and where you'll be expecting those events/logs to be generated. As these are the paths you'll need to configure for the Splunk UF setup to forward the logs.

Note: Do not run these vulnerable images in cloud instances, there's a high chance it will be identified and reported and your account may be blocked. Better to run them on virtual boxes in a controlled sandbox environment.

~ If the reply helps, a Karma upvote would be appreciated.

View solution in original post

Gr0und_Z3r0
Contributor

Hi @Mc_Guard ,

In addition to what @richgalloway mentioned. Splunk will just be a tool to collect logs from any source that generates machine data. In terms of identifying machines for attacks and identifying and doing your pentest, I would recommend getting the images of vulnerable images from https://www.vulnhub.com/.

Please be sure on how and what you'll be doing it on and ensure you run these images in a sandboxed environment. You'll need to bake these images with Splunk Universal Forwarder depending on the OS type and configure the route to successfully send the event logs into your Splunk instance. 

Another thing to note, you'll need to know what kind of attack you'll be performing and where you'll be expecting those events/logs to be generated. As these are the paths you'll need to configure for the Splunk UF setup to forward the logs.

Note: Do not run these vulnerable images in cloud instances, there's a high chance it will be identified and reported and your account may be blocked. Better to run them on virtual boxes in a controlled sandbox environment.

~ If the reply helps, a Karma upvote would be appreciated.

Mc_Guard
Explorer

Thank you for sharing your experience and knowledge.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

All machines are vulnerable in some way so just install Splunk Forwarder on whatever you have available.  Whatever machine to select, be aware that Splunk and Splunk Forwarder do not detect vulnerabilities.  You can create reports in Splunk that report vulnerability information, but the vulnerabilities themselves must be detected by another program and reported to Splunk.

---
If this reply helps you, Karma would be appreciated.

Mc_Guard
Explorer

Thank you for sharing your experience and knowledge

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...