Building a Virtualized Cybersecurity Lab: Splunk SIEM Setup and Log Forwarding

Source: Dev.to

A Need For Robust Logs

With my Active Directory environment fully deployed and all client systems joined to the domain, the next logical step in my homelab journey is establishing visibility. Identity services create the foundation of authentication and access, but without centralized logging it’s impossible to understand how the environment behaves, detect unusual activity, or analyze the impact of simulated attacks. That’s where a SIEM comes in.

In this post I focus on installing and configuring Splunk as my primary SIEM platform, then enabling log forwarding from my Ubuntu Desktop, Windows 11, and Windows Server 2025 VM. My goal is to build a realistic monitoring stack that mirrors what security teams rely on in production environments—capturing authentication logs, system activity, and security‑relevant events in one place.

Splunk gives me an excellent starting point for understanding enterprise log ingestion, parsing, and detection logic. In future iterations I may migrate this VM to Wazuh or run a separate Wazuh deployment alongside Splunk to compare SIEM platforms and expand my defensive skill set.

This post represents the beginning of the “visibility” phase of the project—turning raw system activity into actionable insights.

Lab Architecture Reminder

Before diving into configuration, here’s the high‑level lab design at this stage.

Current environment includes:

• pfSense (router/firewall)
• lab‑LAN internal network
• Windows Server 2022 (Domain Controller + DNS)
• Windows 11 endpoint
• Ubuntu Desktop endpoint

With networking complete, the identity layer sits on top of this controlled environment.

Process Overview

Below is a summary of the major configuration steps performed. Screenshots are included to document the process.

Step 1 – Installing Splunk on Ubuntu

sudo dpkg -i splunk-9.0.x-linux-x64.deb
sudo /opt/splunk/bin/splunk start --accept-license
sudo /opt/splunk/bin/splunk enable boot-start

Access Splunk Web GUI
Open https://:8000 in a browser.
Default admin login: admin / password you set.

Step 2 – Configure Inputs / Listeners in Splunk

1. Navigate to Settings → Data Inputs → Forwarded Data / UDP / TCP.
2. Set up:
   • UDP 514 (Syslog) for Linux and pfSense
   • TCP 9997 (default for Splunk forwarders)

Enable the listener:

sudo /opt/splunk/bin/splunk enable listen 9997

Logs planned for collection

• Security logs
• Sysmon operational logs
• Authentication events
• DNS logs (from DC)
• Linux auth logs
• pfSense firewall logs

Step 3 – Forward Windows Logs

1. Download and install the Splunk Universal Forwarder on Windows 11 and Windows Server 2025.
2. Configure the forwarder to send logs to the Splunk server:

c:\Program Files\SplunkUniversalForwarder\bin\splunk add forward-server :9997
c:\Program Files\SplunkUniversalForwarder\bin\splunk add monitor "C:\Windows\System32\winevt\Logs\Security.evtx"
c:\Program Files\SplunkUniversalForwarder\bin\splunk add monitor "C:\Windows\System32\winevt\Logs\System.evtx"
c:\Program Files\SplunkUniversalForwarder\bin\splunk start

For richer telemetry, Sysmon was installed using the SwiftOnSecurity configuration.

Step 4 – Forward Linux Logs

On Ubuntu VMs:

sudo apt install rsyslog

Create a forwarding rule:

sudo vim /etc/rsyslog.d/60-splunk.conf

Add the line:

*.* @@:514

Restart rsyslog:

sudo systemctl restart rsyslog

Step 5 – Forward pfSense Logs

1. Log into the pfSense WebGUI.
2. Navigate to Status → System Logs → Settings.
3. Under Remote Syslog Servers, add the Splunk IP with UDP 514.
4. Select all log types you want forwarded.