A step-by-step guide for building your very own Cybersecurity Home Lab using VirtualBox
In this module, we will set up Splunk (SIEM) in a Ubuntu VM. The VM will be added to the SECURITY subnet. Then we will configure Splunk Universal Forwarder on our Windows Server 2019 (DC) VM which will allow Splunk to ingest logs from the DC.
Go to the following URL: Download Ubuntu Desktop | Download | Ubuntu.
Download the latest LTS version of Ubuntu. As of writing the latest version is
The ISO is ~5GB.
After the download is complete you will have a
In VirtualBox from the sidebar select
Tools and then click on
New from the toolbar.
Give the VM a name. Select the downloaded ISO image. Select the “Skip Unattended Installation” option and click on
Increase the Base Memory to
4096MB (4GB) and click on
Increase the Hard Disk size to
100GB and click on
Confirm that all the settings look correct and click on
Right-click the VM and select “Move to Group” then choose
The final result should look as follows:
Select the VM and click on
Settings from the toolbar.
System -> Motherboard. In Boot Order ensure that
Hard Disk is on the top followed by
Network -> Adapter 1. For the Attached to field select
Internal Network. For name select
LAN 4. Click on
OK to save changes.
Select the VM and click on
Enter to start the Graphical Installer.
Select your language and click on “Install Ubuntu”.
Select Keyboard Layout and click on
Enable “Install third-party software for graphics and Wi-Fi hardware and additional media formats” and click on
Select your location and click on
Enter the username, password and hostname and click on
Restart Now to boot into the system.
VirtualBox will automatically remove the ISO file from the disk drive. Press
Enter to boot into the newly installed system.
Login using your password.
Complete the post-install setup as shown. Click on
Select “No, don't send system info” and click on
Ensure this setting is disabled and click on
Done to close the wizard.
From the VM toolbar select
Devices -> Install Guest Additions CD image.
The disk will show up on the dock. Click on it to view the content of the disk.
Right-click anywhere in the empty area in the File Explorer and select “Open in Terminal”.
Run the following command to install Guest Additions:
Once the installation is complete close the terminal, right-click on the disk icon in the dock and select
Ctrl+Alt+T to open a new terminal then enter the following command to update the system:
sudo apt update && sudo apt full-upgrade
Enter your password when prompted. If there are updates press
Enter to start the install.
Shut down the VM. Click on the Hamburger menu beside the VM name and select
Take to create a Snapshot.
Provide a descriptive name and click on
Click on the Hamburger menu and click on “Details” to return to the main page.
On the Ubuntu VM go to the following URL: Splunk Enterprise Free Trial | Splunk
As of writing the latest version of Splunk Enterprise is
To download Splunk you have to create a account.
Link to get v9.1.2 without an account has been provided at the end of this section.
If you want to use the latest version follow the steps below to create a account.
Fill in the details in the form, accept the agreement and click on “Create the Account”.
After login go to the Linux section and click on the “Download Now” button for the
Scroll down and accept the agreement and then click on “Access program” to start the download.
Alternatively, use the following link to directly download Splunk v9.1.2:
Splunk Enterprise 9.1.2 - Linux (.deb) - Direct Download Link
Once the download is complete we will have a
.deb file. Open the Terminal (
Ctrl+Alt+t) and navigate to the Downloads folder.
Run the following following command to install
curl (dependency for Splunk):
sudo apt install curl
Enter password when prompted.
Run the following command to install Splunk:
sudo dpkg -i splunk-9.1.2-b6b9c8185839-linux-2.6-amd64.deb
If you downloaded the latest version of Splunk the name of the downloaded file could be different from the one shown here. Use the filename that is shown on your system with the above command.
After the installation is completed use the following command to launch Splunk:
sudo /opt/splunk/bin/splunk start --accept-license --answer-yes
Provide a name and password when prompted. These credentials need to be used to log into Splunk.
Once the setup is complete we see the Splunk is running on
Run the following to allow Splunk to start automatically when the system is booted.
sudo /opt/splunk/bin/splunk enable boot-start
You can choose to ignore the last command to enable auto boot.
If you do not enable run at boot the command that was shown above to start Splunk will need to run to start Splunk.
Shut down the VM. Using the Hamburger menu access the Snapshot page. Click on
Take to create a Snapshot. Give the Snapshot a descriptive name.
Before we can install Splunk Universal Forwarder there are a few settings we need to change in Splunk. Open Splunk by going to
From the toolbar select
Settings -> Forwarding and receiving.
Click on “Add new” in the Receive data section.
9997 as the port to listen for incoming data. Click on
The next steps need to be performed on the Domain Controller (Windows Server 2019). We are going to ingest the log data that is generated by this device into Splunk.
Go to the following link to download Universal Forwarder: Download Universal Forwarder for Remote Data Collection | Splunk
You need to log in to be able to download the setup. Select the Windows tab and then click on the Download Now button beside the 64-bit option.
Alternatively, Splunk Universal Forwarder v9.1.2 can be downloaded directly using the following link: Splunk Universal Forwarder 9.1.2 - Windows (.msi) - Direct Download Link
Double-click on the
.msi file to begin installation.
Check the box on the top to accept the agreement and then click on
Provide a username and password for the Forwarder. I would recommend using the same credentials that were configured on Splunk.
For the new step need the IP address of the Ubuntu (Splunk) VM. Use the following command to get the IP address.
Use the IP address that is shown under
If in your case instead of
eth0use the IP address that is shown under that section.
Enter the IP address of the Splunk VM (in my case
10.10.10.13) and enter
8089 as the value for the port field then click on
Again enter the Splunk VM IP address and for port enter
9997. This is the port we configured in Splunk. Click on
Next to continue.
Finish to close the installer.
Now that we have Splunk and Universal Forwarder configured we need to link both the pieces together so that Splunk can collect data.
In Splunk select
Settings -> Add Data.
Our DC VM should automatically show up in the left box. Click on “add all” to move it to the right side. In the “New Source Class Name” field provide a name for the source. Click on
Next to continue.
Select “Local Event Logs” then click on the “add all” button above the dropdown field to ingest all the logs generated by the DC. Click on
Next once done.
Click on “Create a new index“.Indexes are the Splunk equivalent of SQL Tables. It is used to store similar data.
Provide the Index a name. Keep all the other fields on their default value and click on
Save then click on
Confirm all the options look correct and click on
From the Splunk toolbar select
Apps -> Search & Reporting.
In the search box enter the following to view the ingested data:
In the above command “windows” is the name I gave my index.
If the search does not return any value, wait for 2-3 minutes and then try again. If there is still no data go to the Windows VM and perform some simple actions (open applications, change settings, etc.) then after sometime you should see data flowing into Splunk.
In the next module, we will see how we can download files/malware onto the DFIR VM and then move them over to the Malware Analysis lab using SCP.