Yup! Im happy you can tell haha thanks for watching ❤️

true story. I'm binging

I appreciate that! Thank you ❤️

@@MyDFIR Btw will this project deem valid for someone trying to land an entry level Security Administrator role?

Absolutely. Once you have this AD up, you can start to learn how to harden it as well.

WOW!! Thank you so much ❤️❤️❤️ I am so grateful. More to come!

Did u done with ur blog

Awesome, thank you!

same problem with me ,, i will reinstall it again

unfortunately not fixed , my splunk read only target-pc ,, ADDC not

worked, thank you!

nvmmmmm I switched to my AD server and followed the same steps, and when I went back to splunk to login, both hosts are there with logs :)

Niceee!! Great job

Thats fine, likely you are using a different provider than I am. Sounds like you are using the cloud vs on-prem.

@@MyDFIR I am using 4 vm's with Virtual box. no cloud.

Is your inputs.conf updated and have you restarted your splunk service on the windows endpoint?

@astrid5461 Here is fine. Ill do my best to help. What issues are you having with vmware?

@@MyDFIR sorry for the late reply, but yes, I've put the updated inputs.conf file in the local directory and have restarted the service in windows, still no telemetry for the endpoint index, though the logs from Syston appear in the event viewer, so I know they're there, just not being forwarded

Have fun!

Take a look at the comments as I believe someone had the same error as you did

You are so welcome!

Thanks! No reason, i just wanted to show another way of doing things. Download it how you want 👍

Always on the VM

What are you experiencing?

If you’re not getting events, check your inputs.conf file on your windows machine and make sure you have your index created. Check out the troubleshooting video if you haven’t already

Make sure there are no typos - I would google how to setup a static IP to some written instructions/alternative guides as something weird could be happening

Strange, following the same step on the server should work.

@@MyDFIR this is ofc taking into consideration the fact like IPv4. But apart from that I had followed it thoughout

Glad you liked it!

If I misunderstood your question please correct me! Using another server wouldn’t solve the problem of being unable to connect to the internet. What happens if you ping google.com?

@@MyDFIR and this keeps happening after sudo netplan apply : response warning root: cannot call open vSwitch: ovsdb-server.service is not running.

You could try using wget to download splunk onto your virtual machine. Since I am unable to see your configuration, it is quite tough to troubleshoot. Worst case, restart from scratch.

@@MyDFIR When did we create the group vboxsf? I put the splunk debian on my F drive rather than C:/.....do you think that makes a difference?

Thanks! Either or works, I would do it via ethernet if possible just cause its more “reliable”

Awesome, thank you and great work!

Thanks for watching!

Thank you ❤️

Check your spelling and file path. Also its fine it you have a different IP address, as long as you can access it 👍

@@MyDFIR My spelling is ok. When I press Tab it pops (50-cloud-init.yaml) it brings me to the same scene shown on your video, but I have different blue writing stating something. Should I be concerned moving forward? Example: # This file is generated from information provided by the datasource. Changes # to it will not persist across an instance reboot. To disable cloud-init's # network configuration capabilities, write a file # /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following: # network: {config: disabled} 5:00 Also, after I pressed enter on "sudo netplan apply" I got hit with /ect/netplan/50-cloud-init.yaml Invalid YAML: inconsistent indentation, then of course its shows the addresse 192.168.10.10/24

@@MyDFIR Thank you! How could I write a file "/etc/cloud/cloud.cfg.d/99-disable-network-config.cfg"? I can't apply update until I am able to write this file with the following "network: {config: disabled}"

Yeah ipconfig /release and renew would provide another IP if DHCP was used. Ideally you would reserve some IPs for static purposes and put…say .50-254 on a /24 as dhcp

Check out the troubleshooting video, hopefully that could help fix the problem!

Thanks for the kind words!

Great job on fixing that 👏👏

That is fine 👍 you’ll likely need to put them into a bridged network (network adapter setting in VM)

Yeah installing Splunk is the same. For VMware, you’ll need to research how to install guest add ons

“Not generating events” is this in Splunk or Windows event logs?

Do make sure that the service account is set to local and not the Splunk account.

I have you set it up this way as this is how it is typically installed in real world environments. Of course not all environments are the same but so far this is how ive seen it.

Thats fine, any directory will suffice

@@MyDFIR Appreciate it, I figured it was fine. After all, I bought a new HP Envy Tower Desktop with an i7 and 16gb of ram to practice all your labs on!

Beautiful! Love the specs 💪

Thank you for watching! I hope you learned a lot 😃

Confirmed your hosts are on the same network? Check out the troubleshooting video for this series for some assistance!

Yeah YAML can get kinda weird sometimes, try using this jsonformatter.org/yaml-formatter and see if that helps!

Not sure if I understood the question but this could be due to permissions? Have you tried editing/writing using sudo?

@@MyDFIR i have not I'm new to all this. I was just following your step but got stopped here. I've been researching on how i can write or create this file that is telling me too do but no clue where or how to do that. I cant move forward with the process util this file is disabled.

I had the same issue as you when trying to configure static IP. Instead of 00-installer-config-.yaml, i had 50-cloud-init.yaml. It allowed me to modify 50-cloud-init.yaml, and the static IP takes place temporarily, but the problem is when I reboot the splunk server the IP reverts back to DHCP. I created "/etc/cloud/cloud.cfg.d/99-disable-network-config.cfg" and wrote "network: {config: disabled}", but this didn't help much. What did help is I created my own 00-installer-config-.yaml inside /etc/netplan/ and wrote what MyDFIR had in his. Now when I reboot the splunk server it has the static IP of 192.168.10.10 and I'm able to connect to it on my Win10 VM browser by searching 192.168.10.10:8000. Hope this helps.

@@MochiLearning808 buddy thank you. God bless you till this day I’m struggling 🤣. Do you have an email that I can connect with you that you can show how?

You're very welcome! It does take quite a bit of time and I appreciate you noticing that ❤️

Take a look at the GitHub video I have on my channel to get started. As for Resume, put in the skills you've learned but be sure you can speak to it.

It is up to you honestly, its just a shared folder.

What troubleshooting have you done so far? Did you take a look at the troubleshooting video by any chance?

Awesome! More repetition, the easier it gets ❤️

Make sure the index is created and you restarted your splunk UF service

@@MyDFIR thank you that worked

@@MyDFIR index_internal showed me events but the index=endpoint is still zero is there a reason for that ?

I just restarted the whole process again and it worked thank you so much

Yh I have the same thing did you figure it out yet ?

Btw I just found the version he has but now I can't ping Google

@@dxwid9567 it ends up being the same essentially. just follow his instructions as if they are the same file. worked for me

Sorry could you clarify why you would need another port on your windows server?

Struggling is good! Level up those troubleshooting skills. Take a look at linuxconfig.org/setting-a-static-ip-address-in-ubuntu-24-04-via-the-command-line#:~:text=Setting%20a%20static%20IP%20address%20on%20Ubuntu%2024.04%20involves%20identifying,and%20securely%20on%20your%20network.

@@MyDFIR Thank you so much! I was able to figure out what I was doing wrong!!

Nope, did you get redirected to a downloads page?

I created a video about projects on GitHub and you can follow that, as for resumes you can either provide a high level summary or put down the skills you learned from this project

What troubleshooting have you done so far?

@@MyDFIR I have been able to establish that active forwards is configured but it's inactive. I can ping from the forwarder to the indexer and there is no firewall in between.

@@MyDFIR I managed to fix it and the logs are being ingested successfully. You are the real MVP man thank you!

Awesome work!

nvm I fixed it, downloading Kali linux and unzipping with winRAR does Not work, you do have to use 7 ZIP

Great job figuring it out 🙌

I would recommend you modify it to make it more tailored to you.

Awesome! Happy to hear that, thanks for participating ❤

Hey, couple things - 1) Make sure your IP is actually that, and not something else. 2) Did you start Splunk?

@@MyDFIR Yes my ip is 100 percent that and I also started and configured the splunk in the same way , did not got any errors while configuring it. All my machines are connected with net it is just that it shows site is not able to reach when I type in to get the splunk page , like after configuring it such that it starts everytime splunk opens when machine reboots , I have not done anything manually .

@@maybeitsme3554 Can your machines ping splunk?

@@MyDFIR so I ca ping my machine 192.168.10.10 from other machines but when I checked status of splunk , it said SPLUNK SERVICE FAILED TO EXECUTE /etc/init.d/splunk: Exec format error

@@MyDFIR Hey maan ! Just solved the issue I had to repeat the process of configuring splunk user in the share folder , but was able to solve it quickly. There was something called as splunk helpers which was running instead of splunk , when I re configured IT actually stopped splunk helpers and instead started splunk. Thank you so much for you support man 😄😄

It shouldn’t matter which hypervisor you are using, unless I am misunderstanding the question - you can still run the command

Anytime! Have fun 😁

Interesting, if failing to fetch makes me believe there might be some internet connectivity.

I was thinking the same, but it did download other files and errored out on some.@@MyDFIR

Haha thats the spirit! Take it slow

Make sure you add in the port number as well and ensure splunk service is enabled on the splunk server

Make sure the VM for your server is actually on.

You can assign whatever address in the private IP space aka RFC1918 as long as they are in the same network, they should talk to each other.

How do you solve a problem?

Check the comments, someone had the same error and was able to solve it after installing it.

Use these commands. # run this first $ sudo apt-get install linux-modules-extra-raspi # run this then $ sudo apt-get install openvswitch-switch-dpdk

If that doesn’t work you can use the wget command to install splunk

If you add the user first, then add the user to vboxsf, it should work. for example: "adduser guest" After this command it'll ask for a new password and other info. When you fill that out then use the command, "adduser guest vboxsf" and it should work

More to come! Thanks for watching ❤️

More to come!

You can try and install Splunk via wget if you cannot get the shared drive up and running

@MyDFIR appreciate the quick response i was having issues with my download folder but i figured it out. Thank you for the assist.

This specific demo Splunk was downloaded from my host machine and transferred to the VM. However, you can use the command ‘wget’ to download Splunk directly from your VM.

Some of the VM stuff, installs, settings etc is the most difficult part for me. I appreciate all that you are doing here!

Thank you! Please consider sharing this to others if you believe someone in your network can benefit from it ♥

Same settings as in same IP? If so, that is the problem as there is a conflict. Change the IP, make sure the DC is in the same network and restart your Splunk service.

I used different IP addresses but the same default gateway

Found the problem lol I must have messed up something when installing splunk forwarder so I uninstalled and reinstalled it, redid the inputs.conf file and restarted service and now I see the host name

Thanks for the kind words ❤️

Please refer to your network diagram that you've built in Part 1. Not sure what you mean by changing the IP as well using sudo nano - As long as these machines are in the same network you should be fine.

Great Thank you!@@MyDFIR

Oh yeah also should mention, I didn’t get the screen pop up after the guest additions install, although it seem to have installed when I checked through cli and is updated

Strange, if you’ve followed step by step and it still doesn’t work you can use wget from your splunk VM to download Splunk

@@MyDFIR thank you! will try later today

Make sure you are including the port number and the service is running

I have, but it's timing out. I pinged to make sure I have connection, and it shows I'm connected. @@MyDFIR

@@MyDFIR I felt so dumb after I saw this, clearly it needs to be running lol

Glad to hear it!

Just to make sure, did you install the Splunk enterprise? You should be able to access it, can also try restarting the service.

Solved. I was trying to access Splunk web interface on a different network. Thanks for the good work @@MyDFIR

@ADewest Hi, were you able to fix this? I am running on Intel base MacbookPro as well and having a same issue as you. I wonder if Splunk needs to be run in the background. Thanks.

@@jacoblee3427 yes. Are you running your labs on one hypervisor? In my case I wasn’t so I had to put everything on one hypervisor and made sure they all in the same NAT network and I didn’t encounter any error after trying to access splunk web interface on my target windows machine and AD

Glad you liked it!

Great catch 👍 always check your directories unless you added the binary as an environment variable!

This solved the issue I was having thank you

figured it out rebooted then ran agin it solved

Stuck at the same point. how did you solve it?

there is bin in the home and there is a bin in /opt (/opt/splunk/bin) enter this directory and execute ./splunk start

Glad you like them!

Glad to hear that!

What have you done to troubleshoot so far?

@@MyDFIR I tried tweaking the IPv4 settings. That did not work. I spent time reading online as well and haven't come across anything helpful.

is Splunk running? Check the services and are you on the same network? @@daveittt

It's working now! Thanks so much!

I am having the same issue, what did you do to solve it?@@daveittt

As I have yet to encounter that error, I am not sure but try enabling the service and if that doesn’t work, Google should help!

run this and try again: $ sudo apt-get install openvswitch-switch-dpdk

@@mcgam3r_tv809 I tried this but I only get hit with: E: Unable to locate package openvswitch-switch-dpkg" ?

@@mcgam3r_tv809 Was able to install it with the command you provided -dpdk at the end... cheers

@@RandomFaxx happy to help!

Thank you so much 😀

Also, when installing both splunk and splunkfwd it didn't create any inputs.conf or outputs.conf file, if that helps

You dont need to install a universal forwarder on your Splunk server. By doing so, you likely had overwritten some of the files. I would recommend you start your Splunk server from scratch and install only Splunk Enterprise.

@@MyDFIR I thought for sure you said at the end of the splunk section to leave the universal forwarder to us, I guess I misunderstood 😅 so only install the forwarder on the windows target machine, and only splunk enterprise on the splunk server? I’ll give it a rewatch and start over. I appreciate the project though for real, awesome work

Bingo! You got it 🙌

@@MyDFIR thanks man! I appreciate ya

No problem