SureshXavier/SOC-Lab

--- ## 📌 Overview To strengthen real-world SIEM and SOC skills, I designed and deployed a complete Splunk-based log aggregation environment using a **Windows endpoint** and a **Kali Linux virtual machine**. The goal was to replicate the log collection and forwarding pipeline found in enterprise security operations centers — manually configuring every component from forwarder deployment to centralized search and analysis. --- ## 🏗️ Lab Architecture ``` ┌──────────────────────────────────────┐ ┌─────────────────────────────────────────┐ │ MACHINE 01 │ │ MACHINE 02 │ │ Windows Endpoint │ │ Kali Linux VM │ │ │ │ │ │ ┌───────────────────────────────┐ │ │ ┌───────────────────────────────────┐ │ │ │ Splunk Universal Forwarder │───┼──9997──┼─▶│ Heavy Forwarder (:9997) │ │ │ │ inputs.conf / outputs.conf │◀──┼──8089──┼──│ Deployment Server (:8089) │ │ │ └───────────────────────────────┘ │ │ │ Search Head (:8000) │ │ │ │ │ │ rsyslog (:514) │ │ │ Log Sources: │ │ └───────────────────────────────────┘ │ │ ├── WinEventLog:Application │ │ │ │ ├── WinEventLog:Security │ │ Custom Indexes: │ │ ├── WinEventLog:System │ │ ├── windows_logs (961 events) │ │ └── pfirewall.log (Firewall) │ │ └── linux_logs (9,759 events) │ └──────────────────────────────────────┘ └─────────────────────────────────────────┘ Kali Linux rsyslog (UDP/TCP :514) — ready for syslog sources ``` --- ## 🧰 Technologies Used | Component | Role | |---|---| | Splunk Enterprise | Search Head, Heavy Forwarder, Deployment Server | | Splunk Universal Forwarder | Log collection agent on Windows | | Deployment Server | Centralized forwarder configuration management | | Heavy Forwarder | Log receiving and routing (port 9997) | | rsyslog | Syslog listener configured on Kali Linux (UDP/TCP 514) | | Windows Defender Firewall | Firewall log source (pfirewall.log) | | Windows Event Viewer | Windows log source (Application, Security, System) | | VMware Workstation | Virtualization platform | | Kali Linux | Splunk server host OS | --- ## ⚙️ Configuration ### Universal Forwarder — Forwarding Target ```ini # outputs.conf [tcpout] defaultGroup = splunk-server [tcpout:splunk-server] server = 192.168.252.128:9997 ``` ### Universal Forwarder — Deployment Client ```ini # deploymentclient.conf [target-broker:deploymentServer] targetUri = 192.168.252.128:8089 ``` ### Windows Event Log Collection ```ini # inputs.conf [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 ``` ### Windows Firewall Log Monitoring ```ini # inputs.conf [monitor://C:\Windows\System32\LogFiles\Firewall\pfirewall.log] disabled = 0 sourcetype = windows_firewall ``` > **Firewall logging enabled for:** > - ✅ Log Dropped Packets = Yes > - ✅ Log Successful Connections = Yes ### rsyslog — Syslog Listeners (Kali Linux) ```bash # rsyslog.conf module(load="imudp") input(type="imudp" port="514") module(load="imtcp") input(type="imtcp" port="514") ``` --- ## 🗂️ Custom Indexes Created Two dedicated indexes were created to separate and organise ingested data — mirroring enterprise index design for faster searching and better access control. | Index | Source | Events Captured | |---|---|---| | `windows_logs` | Windows endpoint via Universal Forwarder | 961 events | | `linux_logs` | Kali Linux VM — Splunk internals + syslog | 9,759 events | --- ## 🔄 Data Flow ``` Windows Event Logs │ ▼ Splunk Universal Forwarder ──────────────────────────────────────────────┐ │ │ │ TCP :9997 TCP :8089 mgmt │ ▼ │ Heavy Forwarder ──▶ index=windows_logs Deployment Server ◀─────┘ │ ▼ Splunk Search Head ◀──── rsyslog (:514) ◀──── Kali Linux syslog index=linux_logs ``` | Source | Destination Index | Port | |---|---|---| | Windows Event Logs | windows_logs | 9997 | | Windows Firewall (pfirewall.log) | windows_logs | 9997 | | Kali Linux syslog | linux_logs | 514 | | Deployment Management | — | 8089 | --- ## 📊 SOC Monitoring Dashboard Built a real-time SOC Monitoring Dashboard in Splunk to visualize the entire lab environment at a glance — covering event volume, sourcetype distribution, Splunk health, forwarder connectivity, failed login attempts, and top log sources. ### Panel 01 — Event By Host & Events by Sourcetype | Host | Event Count | |---|---| | `kali` (Kali Linux VM) | ~95,000 events | | `Suresh` (Windows Endpoint) | ~4,000 events | Sourcetype breakdown confirms active ingestion of `WinEventLog:Security`, `WinEventLog:Application`, and `WinEventLog:System`. ### Panel 02 — Splunk Health & Forwarder Status - Health pie chart shows log severity split across `INFO`, `WARN`, and `ERROR` - Forwarder Status chart confirms the Windows Universal Forwarder (`Suresh`) is actively connected and reporting to the Splunk server ### Panel 03 — Failed Login Attempts & Top Log Sources - **Failed Login Attempts:** No results found — confirms a clean environment with no brute-force or failed authentication activity during this period - **Top Log Sources:** `mongod.log` leads at ~52,500 events, followed by `metrics.log` (~17,500) and `splunkd.log` (~11,000), with `WinEventLogSecurity` also present in the top sources --- ## 🚨 Automated Alerts Configured Three scheduled security alerts were configured to proactively detect infrastructure and ingestion issues — simulating real SOC alerting workflows. | Alert | Trigger Condition | Schedule | Status | |---|---|---|---| | 🔴 Splunk Enterprise Shutdown Detected | Splunk HF goes down | 2026-06-02 12:00 IST | ✅ Enabled | | 🟠 Windows Log Ingestion Low | UF sending low log volume | 2026-06-03 02:00 IST | ✅ Enabled | | 🟡 Windows Universal Forwarder Offline | UF stops Splunk service | 2026-06-02 12:00 IST | ✅ Enabled | --- ## 🎯 Skills Demonstrated

**🔧 Splunk Administration** - Universal Forwarder deployment - Deployment Server configuration - Heavy Forwarder setup - Custom index creation - Data onboarding & input management	**📋 Log Management** - Windows Event Log collection - Firewall log monitoring - Syslog collection (UDP + TCP) - Centralized log aggregation - Index-based data separation
**🔍 Security Monitoring** - Authentication event monitoring - Network traffic analysis - Firewall event review - Automated alerting (3 active alerts) - SOC dashboard creation - Failed login detection	**🐧 Linux Administration** - Splunk installation on Kali Linux - Service & port management - rsyslog configuration - Remote log directory structuring

--- ## ✅ Outcome Successfully built a functional Splunk SOC lab collecting and centralizing logs from **5 distinct sources**: - [x] Windows Application Logs - [x] Windows Security Logs - [x] Windows System Logs - [x] Windows Firewall Logs (pfirewall.log) - [x] Syslog Events (UDP + TCP :514) - [x] Custom Indexes — `windows_logs` & `linux_logs` - [x] 3 Automated Security Alerts — Active & Scheduled - [x] Real-time SOC Monitoring Dashboard — 5 panels The lab simulates a **real-world enterprise logging architecture** and provides hands-on experience with SIEM administration, log ingestion, security monitoring, dashboard building, and centralized log management using Splunk. --- ## 📁 Repository Structure ``` splunk-soc-lab/ ├── README.md └── configs/ ├── inputs.conf # Windows Event Log + Firewall inputs ├── outputs.conf # UF forwarding target ├── deploymentclient.conf # Deployment Server registration └── rsyslog.conf # Syslog UDP/TCP listener ``` ---

标签：rsyslog, SOE, 后端开发, 安全事件, 安全信息与事件管理, 安全合规, 安全实验室, 安全策略, 安全运营中心, 提示词设计, 搜索引擎爬取, 日志收集, 日志转发, 网络代理, 网络安全, 网络映射, 隐私保护