Installing Splunk

I'm currently adding Splunk to my lab so as I'm going through the configuraitons, I'm going to list out what I do here as a series of blog posts. Splunk is a pretty power SIEM that works to aggregate and correlate data across your network and security tools. If you ever wanted to try it out for free, go to and you should be able to download it for free for use up to a certain point. The nice thing about Splunk is that there are tons of free pre-built apps and dashboards for multiple vendors which you can download here

For my case, I want to be able to utilize Splunk later for pxGrid integration with ISE so I can't install it on top of Windows to make that work. In my lab, I am going to install a Ubuntu 16.04.2 Desktop image on a VM. Ubuntu can be downloaded here

After it is installed, navigate to and download the Splunk .deb file for Linux. After it is downloaded to the Downloads directory, you will want to install it. Open up Terminal on the Ubuntu desktop and issue the following command:

sudo dpkg -i ./Downloads/splunk-6.6.2-4b804538c686-linux-2.6-amd64.deb

This will install Splunk but the service won't start until you manually start it. After it's installed, issue the following command:

sudo /opt/splunk/bin/splunk start

After a couple seconds, the web server should be up and running. You should be able to navigate to Splunk in your browser at http://<VM-IP>:8000

Splunk will ask you to login with the username of admin and password of "changeme" initially. You'll be immediately prompted to change your password. One other thing I would recommend is navigating to Settings>System>Server Settings on the top bar after initally signing in. 

From there, go to General Settings and I would recommend to enable SSL to make Splunk just a little more secure:

After saving this configuration, you will be prompted by Splunk to restart the services to make the changes take effect. Go ahead and do this. 

At this point, Splunk should be up and ready to be configured with some data sources!