├── test.md ├── Security Monitoring with Wazuh.md ├── README.md ├── Security Monitoring using ELK.md ├── Security Monitoring using AlienVault OSSIM.md ├── Security Monitoring using SecurityOnion.md ├── Security Monitoring using Graylog.md ├── Log Monitoring using Datadog.md ├── Security Monitoring using ManageEngine Log360.md ├── Security Monitoring using Grafana and Prometheus.md └── Security Monitoring using Splunk.md /test.md: -------------------------------------------------------------------------------- 1 | # **Project: Setting Up Splunk Enterprise for Security Monitoring** 2 | 3 | --- 4 | 5 | ## **Objective** 6 | Set up a Splunk Enterprise instance on an Ubuntu server, ingest sample data, and create a basic dashboard for monitoring. 7 | 8 | --- 9 | 10 | ## **Steps to Complete the Project** 11 | 12 | ### **Step 1: Prepare Your Environment** 13 | 1. **Update the server packages**: 14 | ```bash 15 | sudo apt update && sudo apt upgrade -y 16 | ``` 17 | ### Step 2: Download and Install Splunk 18 | 1. Create a Splunk user (optional but recommended): 19 | ``` 20 | sudo useradd -m splunk 21 | sudo passwd splunk 22 | ``` 23 | sudo usermod -aG sudo splunk 24 | 2. Switch to the Splunk user: 25 | bash 26 | Copy code 27 | su - splunk 28 | - Download the `Splunk` Enterprise installer: 29 | bash 30 | Copy code 31 | wget -O splunk.tgz "https://download.splunk.com/products/splunk/releases/9.0.3/linux/splunk-9.0.3-linux-64bit.tgz" 32 | - Extract the installer: 33 | bash 34 | Copy code 35 | tar -xvf splunk.tgz 36 | Move Splunk to the appropriate directory: 37 | bash 38 | Copy code 39 | sudo mv splunk /opt/ 40 | Step 3: Start and Configure Splunk 41 | Navigate to the Splunk directory: 42 | bash 43 | Copy code 44 | cd /opt/splunk/bin 45 | Start Splunk and accept the license: 46 | bash 47 | Copy code 48 | sudo ./splunk start --accept-license 49 | Set an admin username and password: Follow the prompts to set the credentials. 50 | Step 4: Configure Splunk to Start at Boot 51 | Enable Splunk as a service: 52 | bash 53 | Copy code 54 | sudo ./splunk enable boot-start 55 | Step 5: Access Splunk Web Interface 56 | Open a web browser and navigate to: 57 | arduino 58 | Copy code 59 | http://:8000 60 | Log in using the admin credentials you set up. 61 | Step 6: Ingest Sample Data 62 | Download a sample dataset: 63 | bash 64 | Copy code 65 | wget -O sample_logs.tar.gz "https://github.com/datasets/logs/raw/main/sample_logs.tar.gz" 66 | Extract the logs: 67 | bash 68 | Copy code 69 | tar -xvf sample_logs.tar.gz 70 | Upload logs to Splunk: 71 | Go to Settings > Add Data > Upload. 72 | Select your log files from the extracted folder. 73 | Follow the prompts to complete the ingestion. 74 | Step 7: Search and Analyze Logs 75 | Search logs in Splunk: 76 | Navigate to Search & Reporting. 77 | Use a basic query: 78 | spl 79 | Copy code 80 | index=_internal | stats count by sourcetype 81 | Explore different queries to analyze your data. 82 | Step 8: Create a Basic Dashboard 83 | Navigate to Dashboard in Splunk. 84 | Click on Create New Dashboard. 85 | Add a panel with a query: 86 | spl 87 | Copy code 88 | index=_internal | timechart count by sourcetype 89 | Save and view your dashboard. 90 | Commands Summary 91 | Server Update: 92 | bash 93 | Copy code 94 | sudo apt update && sudo apt upgrade -y 95 | Download and Extract Splunk: 96 | bash 97 | Copy code 98 | wget -O splunk.tgz "https://download.splunk.com/products/splunk/releases/9.0.3/linux/splunk-9.0.3-linux-64bit.tgz" 99 | tar -xvf splunk.tgz 100 | sudo mv splunk /opt/ 101 | Start Splunk: 102 | bash 103 | Copy code 104 | sudo ./splunk start --accept-license 105 | Enable Boot Start: 106 | bash 107 | Copy code 108 | sudo ./splunk enable boot-start 109 | Outcome 110 | By completing this project, you will have a functional Splunk instance capable of ingesting and 111 | -------------------------------------------------------------------------------- /Security Monitoring with Wazuh.md: -------------------------------------------------------------------------------- 1 | # Home-Lab: Wazuh Security Monitoring 2 | 3 | ## Objective 4 | To set up a Wazuh home lab on an Ubuntu server for security monitoring and extend its functionality by adding a Wazuh agent on another Ubuntu server to monitor its logs and activities. 5 | 6 | --- 7 | 8 | ## Lab Setup 9 | ![Blue and Gold Elegant Minimalist Jewelry Promotions Business Floor Decal (150 x 120 mm)](https://github.com/user-attachments/assets/ecfe331d-e276-4ee7-8012-e627e8a5677d) 10 | 11 | 12 | 13 | ## Requirements 14 | 1. **Virtualization Tools:** 15 | - [VirtualBox](https://www.virtualbox.org/) 16 | - [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) 17 | - [Proxmox VE](https://www.proxmox.com/) 18 | 19 | 2. **Ubuntu Servers:** 20 | - One server as the **Wazuh Manager** (20.04 or later). 21 | - One server as the **Wazuh Agent** (20.04 or later). 22 | 23 | 3. **Stable Internet Connection** 24 | 4. **Sudo Privileges** on both Ubuntu servers. 25 | 26 | --- 27 | 28 | ## Step-by-Step Guide 29 | 30 | ### 1. **Set Up Wazuh Manager** 31 | - Install and update the Ubuntu server for the manager role: 32 | ```bash 33 | sudo apt update && sudo apt upgrade -y 34 | ``` 35 | - Install Wazuh using the one-line command: 36 | ```bash 37 | curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 38 | ``` 39 | - Access the Wazuh Dashboard via a web browser: 40 | ``` 41 | https://:5601 42 | ``` 43 | - Log in using the credentials displayed during the installation process. 44 | 45 | ### 2. **Set Up Wazuh Agent on Another Ubuntu Server** 46 | - On the **second Ubuntu server**, update the packages: 47 | ```bash 48 | sudo apt update && sudo apt upgrade -y 49 | ``` 50 | - Install the Wazuh Agent using the following command: 51 | ```bash 52 | curl -sO https://packages.wazuh.com/4.9/wazuh-agent.sh && sudo bash ./wazuh-agent.sh -a -s 53 | ``` 54 | - Replace `` with the IP address of the Wazuh Manager server. 55 | 56 | ### 3. **Configure Wazuh Agent** 57 | - Open the agent configuration file: 58 | ```bash 59 | sudo nano /var/ossec/etc/ossec.conf 60 | ``` 61 | - Ensure the `
` tag contains the correct Wazuh Manager IP: 62 | ```xml 63 |
64 | ``` 65 | - Restart the agent to apply changes: 66 | ```bash 67 | sudo systemctl restart wazuh-agent 68 | ``` 69 | 70 | ### 4. **Verify Agent Connection on Wazuh Manager** 71 | - Log in to the Wazuh Dashboard. 72 | - Navigate to **Agents** under the **Management** tab. 73 | - Confirm the agent appears in the list and is marked as **Active**. 74 | 75 | --- 76 | 77 | ## Conclusion 78 | This guide sets up a Wazuh Manager and extends its monitoring by adding a Wazuh agent on another Ubuntu server. This configuration allows centralized security monitoring, log analysis, and incident detection for multiple devices within your home lab. Experiment further by adding additional agents or customizing monitoring rules to enhance your security capabilities. 79 | 80 | # 🌟 Ultimate Security Analyst Course🌟 81 | 82 | Get unstuck and complete all the tasks with detailed step-by-step videos plus 83 | 84 | - **Video Tutorials**: 145+ Videos with step-by-step guide. 85 | - **13 Hands-on course**(beginner to Medium Level): Including courses on Cybersecurity 101, IT networking, Server and Cloud, Splunk for Beginners, Endpoint Investigation, Network Investigation, Security Compliance, Offensive security 86 | - **90 Days Challenge**(Medium to Advanced Level): You are expected to finish 9 Hands-on Projects in 90 Days covering tools such as Splunk, ELK, Wireshark, Velociraptor, Osquery, AWS etc 87 | - **LifeTime Access**: Once you finish the 90-Days Challenge, you still be having access to all the modules for lifetime 88 | - **Join the Community**: Access our exclusive community platform to share insights, seek advice, and learn from fellow challengers. 89 | - **Earn Recognition**: Complete the challenge within 90 days to earn a shoutout during our Hall of Fame celebration on LinkedIn and YouTube! 🏆📣 90 | 91 | Want to get started? 92 | 93 | 94 | Enroll Now 95 | 96 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Home-Lab: Security Monitoring and SIEM 2 | 3 | This repository contains hands-on guides for setting up various **Security Monitoring Home Labs**. Each lab provides a detailed setup process, configuration, and usage instructions for a specific monitoring tool, enabling users to simulate real-world security monitoring scenarios in a controlled environment. 4 | 5 | --- 6 | 7 | ## 📂 Hands-on Labs 8 | 9 | | **Lab No.** | **Lab Title** | **Description** | 10 | |-------------|-----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------| 11 | | 1 | [Security Monitoring using AlienVault OSSIM](Security%20Monitoring%20using%20AlienVault%20OSSIM.md) | Set up **AlienVault OSSIM** for unified security management, including SIEM, vulnerability scanning, and threat intelligence integration. | 12 | | 2 | [Security Monitoring using ELK](Security%20Monitoring%20using%20ELK.md) | Utilize the **ELK Stack** (Elasticsearch, Logstash, Kibana) for centralized log collection, indexing, and visualization. Build dashboards and queries for threat detection. | 13 | | 3 | [Security Monitoring using Grafana and Prometheus](Security%20Monitoring%20using%20Grafana%20and%20Prometheus.md) | Configure **Grafana** and **Prometheus** to monitor system metrics and alerts in real-time. Learn to create insightful dashboards for performance and security. | 14 | | 4 | [Security Monitoring using Graylog](Security%20Monitoring%20using%20Graylog.md) | Implement **Graylog** for log management and analysis. Understand how to collect and analyze logs for identifying anomalies and potential threats. | 15 | | 5 | [Security Monitoring using ManageEngine Log360](Security%20Monitoring%20using%20ManageEngine%20Log360.md) | Deploy **ManageEngine Log360** for comprehensive log management, user behavior analytics, and compliance reporting. | 16 | | 6 | [Security Monitoring using Security Onion](Security%20Monitoring%20using%20SecurityOnion.md) | Leverage **Security Onion** for network security monitoring, intrusion detection, and threat hunting in your lab environment. | 17 | | 7 | [Security Monitoring using Splunk](Security%20Monitoring%20using%20Splunk.md) | Explore **Splunk** for advanced log monitoring, search, and analysis. Build use cases for incident detection and response using Splunk queries. | 18 | | 8 | [Security Monitoring with Wazuh](Security%20Monitoring%20with%20Wazuh.md) | Implement **Wazuh** as an open-source security monitoring and compliance platform. Learn how to deploy agents and monitor events. | 19 | 20 | 21 | --- 22 | 23 | ## 🎯 Objectives 24 | 25 | - Understand the installation and configuration process for each tool. 26 | - Simulate real-world security monitoring use cases. 27 | - Gain hands-on experience with log collection, parsing, and visualization. 28 | - Develop skills in setting up dashboards, alerts, and queries for threat detection. 29 | 30 | --- 31 | 32 | ## 🛠️ Prerequisites 33 | 34 | 1. A computer or virtual machine with the required operating system and resources. 35 | 2. Basic knowledge of system administration and networking. 36 | 3. Familiarity with Linux commands and security concepts. 37 | 38 | --- 39 | ## 🤝 Project Help 40 | 41 | If you need assistance deploying these solutions, we offer the following support services: 42 | 43 | - 🏗️ **SOC Setup**: Assistance in designing and setting up your Security Operations Center, including tools and workflows. 44 | - 📄 **Log Management**: Guidance on configuring log collection, storage, and analysis for effective monitoring. 45 | - 🔗 **Use Case Integration**: Help in implementing specific security use cases tailored to your organization's needs. 46 | - 🔒 **Security Assessment**: Support in assessing and improving the security posture of your lab environment. 47 | - 🛠️ **Troubleshooting**: Assistance in diagnosing and resolving setup or operational issues during deployment. 48 | 49 | ## About Me 50 | 51 | Hi, I'm Rajneesh Gupta, security consultant, Coach and 2 times best-selling Author. I share security projects to help people to excel in security domain. 52 | Connect with Me 53 | [![LinkedIn](https://img.shields.io/badge/LinkedIn-blue?style=for-the-badge&logo=linkedin)](https://www.linkedin.com/in/rajneeshcyber) 54 | [![X](https://img.shields.io/badge/X-black?style=for-the-badge&logo=x)](https://twitter.com/rajneeshcyber) 55 | [![YouTube](https://img.shields.io/badge/YouTube-red?style=for-the-badge&logo=youtube)](https://www.youtube.com/@rajneeshcyber) 56 | 57 | 58 | 59 | Feel free to connect with me on any of these platforms! 60 | -------------------------------------------------------------------------------- /Security Monitoring using ELK.md: -------------------------------------------------------------------------------- 1 | ## Objective 2 | To set up a Security Monitoring Home Lab using the ELK Stack (Elasticsearch, Logstash, Kibana) for centralized log analysis and monitoring, and extend its functionality by integrating Fleet to manage agents on other servers. 3 | 4 | --- 5 | 6 | ## Requirements 7 | 1. **Virtualization Tools:** 8 | - [VirtualBox](https://www.virtualbox.org/) 9 | - [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) 10 | - [Proxmox VE](https://www.proxmox.com/) 11 | 12 | 2. **Ubuntu Servers:** 13 | - One server as the **ELK Stack Manager** (20.04 or later). 14 | - One server as the **Fleet Agent Node** (20.04 or later). 15 | 16 | 3. **Stable Internet Connection** 17 | 4. **Sudo Privileges** on both Ubuntu servers. 18 | 19 | --- 20 | 21 | ## Step-by-Step Guide 22 | 23 | ### 1. **Set Up ELK Stack on Ubuntu Server** 24 | - Update the server packages: 25 | ```bash 26 | sudo apt update && sudo apt upgrade -y 27 | ``` 28 | - Install Elasticsearch: 29 | ```bash 30 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 31 | sudo apt install apt-transport-https 32 | echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list 33 | sudo apt update && sudo apt install elasticsearch 34 | ``` 35 | - Start and enable Elasticsearch: 36 | ```bash 37 | sudo systemctl enable --now elasticsearch 38 | ``` 39 | - Install and configure Kibana: 40 | ```bash 41 | sudo apt install kibana 42 | sudo systemctl enable --now kibana 43 | ``` 44 | - Access Kibana via web browser at: 45 | ``` 46 | http://:5601 47 | ``` 48 | 49 | ### 2. **Install Fleet Server** 50 | - On the same ELK server, set up Fleet Server for agent management: 51 | ```bash 52 | sudo apt install elastic-agent 53 | sudo elastic-agent enroll --url=http://:8220 --fleet-server-es=http://:9200 54 | sudo systemctl enable --now elastic-agent 55 | ``` 56 | - Replace `` with the IP address of the ELK Manager. 57 | 58 | ### 3. **Set Up Fleet Agent on Another Ubuntu Server** 59 | - On the **second Ubuntu server**, update packages: 60 | ```bash 61 | sudo apt update && sudo apt upgrade -y 62 | ``` 63 | - Install Elastic Agent: 64 | ```bash 65 | sudo apt install elastic-agent 66 | ``` 67 | - Enroll the agent into Fleet using the enrollment token and Fleet Server URL from Kibana: 68 | ```bash 69 | sudo elastic-agent enroll --url=http://:8220 --enrollment-token= 70 | ``` 71 | - Replace `` and `` with the appropriate values from the Fleet setup. 72 | 73 | ### 4. **Verify Agent Integration** 74 | - Log in to Kibana. 75 | - Navigate to **Fleet > Agents**. 76 | - Confirm that the new agent is listed and its status is **Healthy**. 77 | 78 | ### 5. **Test Log Collection** 79 | - Generate sample logs on the agent server (e.g., system logs, application logs). 80 | - Verify that the logs are visible in Kibana under **Discover**. 81 | 82 | ## Conclusion 83 | This guide sets up the ELK Stack for centralized log monitoring and adds Fleet to manage agents on other servers. With this setup, you can monitor and analyze logs from multiple servers in real-time, providing a robust platform for security monitoring and incident detection. 84 | 85 | # 🌟 Ultimate Security Analyst Course🌟 86 | 87 | Get unstuck and complete all the tasks with detailed step-by-step videos plus 88 | 89 | - **Video Tutorials**: 145+ Videos with step-by-step guide. 90 | - **13 Hands-on course**(beginner to Medium Level): Including courses on Cybersecurity 101, IT networking, Server and Cloud, Splunk for Beginners, Endpoint Investigation, Network Investigation, Security Compliance, Offensive security 91 | - **90 Days Challenge**(Medium to Advanced Level): You are expected to finish 9 Hands-on Projects in 90 Days covering tools such as Splunk, ELK, Wireshark, Velociraptor, Osquery, AWS etc 92 | - **LifeTime Access**: Once you finish the 90-Days Challenge, you still be having access to all the modules for lifetime 93 | - **Join the Community**: Access our exclusive community platform to share insights, seek advice, and learn from fellow challengers. 94 | - **Earn Recognition**: Complete the challenge within 90 days to earn a shoutout during our Hall of Fame celebration on LinkedIn and YouTube! 🏆📣 95 | 96 | Want to get started? 97 | 98 | 99 | Enroll Now 100 | 101 | 102 | -------------------------------------------------------------------------------- /Security Monitoring using AlienVault OSSIM.md: -------------------------------------------------------------------------------- 1 | # Home-Lab Setup: Security Monitoring with AlienVault OSSIM 2 | 3 | ## Objective 4 | To create a home lab using **AlienVault OSSIM** for monitoring security events from an **Ubuntu Server** and a **Windows machine**. The lab will simulate real-world security monitoring scenarios by collecting and analyzing logs and events from the connected systems. 5 | 6 | 7 | 8 | ## Home-Lab Setup 9 | 10 | 11 | ## Requirements 12 | - **Virtualization Platform**: 13 | - [VirtualBox](https://www.virtualbox.org/) 14 | - [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) 15 | - [Proxmox VE](https://www.proxmox.com/en/proxmox-ve) 16 | - **AlienVault OSSIM ISO**: [Download here](https://cybersecurity.att.com/products/ossim/download) 17 | - **Ubuntu Server 22.04 ISO**: [Download here](https://releases.ubuntu.com/22.04/) 18 | - **Windows ISO**: [Download here](https://www.microsoft.com/en-us/software-download/windows10) 19 | - **NXLog**: [Official website](https://nxlog.co/products/nxlog-community-edition) 20 | - **Stable Internet Connection** 21 | 22 | 23 | 24 | ## Step-by-Step Guide 25 | 26 | ### Part 1: Setting Up AlienVault OSSIM 27 | **Objective**: Install and configure AlienVault OSSIM as the central monitoring tool in the lab. 28 | 29 | #### Step 1: Set Up the Virtual Machine 30 | 1. Download the AlienVault OSSIM ISO. 31 | 2. Choose a virtualization platform (VirtualBox, VMware, or Proxmox). 32 | 3. Create a new virtual machine: 33 | - Assign at least **4 CPU cores** and **8 GB RAM**. 34 | - Allocate **100 GB disk space**. 35 | - Mount the AlienVault ISO and boot the VM. 36 | 4. Follow the on-screen installation steps: 37 | - Configure a hostname and network settings. 38 | - Set up a root password. 39 | 5. After installation, access the OSSIM web interface: 40 | - Open a browser and navigate to `https:///ossim`. 41 | 42 | #### Step 2: Post-Installation Configuration 43 | 1. Log in with the default admin credentials and change the password. 44 | 2. Update AlienVault OSSIM to the latest version: 45 | ```bash 46 | apt update && apt upgrade -y 47 | ``` 48 | 3. Configure basic settings: 49 | - Network interfaces. 50 | - Timezone and NTP settings. 51 | 52 | --- 53 | ### Part 2: Setting Up Ubuntu Server 54 | Objective: Configure an Ubuntu Server to send security logs to AlienVault OSSIM. 55 | 56 | #### Step 1: Install the Ubuntu Server 57 | 1. Download the Ubuntu Server 22.04 ISO. 58 | 2. Create a new virtual machine: 59 | - Assign 2 CPU cores, 4 GB RAM, and 20 GB disk space. 60 | - Mount the Ubuntu ISO and install the OS. 61 | 3. Set a static IP address for the server. 62 | #### Step 2: Install and Configure Syslog for OSSIM 63 | 1. Install the required packages: 64 | ``` 65 | sudo apt update && sudo apt install rsyslog -y 66 | ``` 67 | 2. Configure rsyslog to forward logs to OSSIM: 68 | - Edit the rsyslog configuration file: 69 | ``` 70 | sudo nano /etc/rsyslog.conf 71 | ``` 72 | - Add the following line at the end of the file: 73 | ``` 74 | *.* @:514 75 | ``` 76 | - Restart the rsyslog service: 77 | ``` 78 | sudo systemctl restart rsyslog 79 | ``` 80 | --- 81 | ### Part 3: Setting Up Windows Machine 82 | Objective: Configure a Windows machine to forward event logs to AlienVault OSSIM. 83 | 84 | #### Step 1: Install the Windows Machine 85 | 1. Create a new virtual machine using the Windows ISO. 86 | 2. Assign 2 CPU cores, 4 GB RAM, and 40 GB disk space. 87 | 3. Install Windows and configure a static IP. 88 | #### Step 2: Install NXLog for Log Forwarding 89 | 1. Download the NXLog Community Edition. 90 | 2. Install NXLog on the Windows machine: 91 | - Follow the installation wizard steps. 92 | 3. Configure NXLog: 93 | - Open the configuration file (C:\Program Files (x86)\nxlog\conf\nxlog.conf). 94 | - Modify the file to include: 95 | ``` 96 | 97 | Module xm_syslog 98 | 99 | 100 | 101 | Module im_msvistalog 102 | 103 | 104 | 105 | Module om_udp 106 | Host 107 | Port 514 108 | Exec to_syslog_snare(); 109 | 110 | 111 | 112 | Path in => out 113 | 114 | ``` 115 | - Save the file and restart the NXLog service. 116 | 117 | --- 118 | ### Part 4: Verify Event Collection in AlienVault OSSIM 119 | Objective: Ensure logs and events from Ubuntu and Windows are being collected by OSSIM. 120 | 121 | #### Step 1: Check Log Sources in OSSIM 122 | 1. Log in to the OSSIM web interface. 123 | 2. Navigate to Environment > Assets. 124 | 3. Add the Ubuntu and Windows machines as assets by their IPs. 125 | 126 | #### Step 2: Analyze Logs 127 | Go to Analysis > Security Events. 128 | Confirm that logs from both machines are appearing in the dashboard. 129 | 130 | ## Conclusion 131 | This home lab demonstrates how to set up AlienVault OSSIM for centralized security monitoring of an Ubuntu server and a Windows machine. With AlienVault OSSIM, you can monitor logs, analyze security events, and gain valuable insights to improve your system’s security posture. 132 | -------------------------------------------------------------------------------- /Security Monitoring using SecurityOnion.md: -------------------------------------------------------------------------------- 1 | # Home-Lab Setup: Security Monitoring using SecurityOnion 2 | ## Objective 3 | To create a home lab using Security Onion for monitoring security events from an Ubuntu server and a Windows machine. This step-by-step guide covers installing Security Onion, setting up syslog collection on Ubuntu, and configuring event collection on Windows. 4 | 5 | --- 6 | 7 | ## Requirements 8 | - **Virtualization Platform**: 9 | - [VirtualBox](https://www.virtualbox.org/) 10 | - [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) 11 | - [Proxmox VE](https://www.proxmox.com/en/proxmox-ve) 12 | - **Security Onion ISO**: [Download here](https://securityonion.net/) 13 | - **Ubuntu Server 22.04 ISO**: [Download here](https://releases.ubuntu.com/22.04/) 14 | - **Windows ISO**: [Download here](https://www.microsoft.com/en-us/software-download/windows10) 15 | - Stable internet connection. 16 | - At least 16 GB RAM and 100 GB disk space for the Security Onion VM. 17 | 18 | --- 19 | 20 | ## Step-by-Step Guide 21 | 22 | --- 23 | ### Part 1: Setting Up Security Onion 24 | **Objective**: Install and configure Security Onion to act as the central log and event monitoring platform. 25 | 26 | #### Step 1: Install Security Onion 27 | 1. Download the Security Onion ISO. 28 | 2. Create a new virtual machine in your virtualization platform: 29 | - Assign at least 8 CPU cores, 16 GB RAM, and 100 GB disk space. 30 | - Mount the Security Onion ISO and boot from it. 31 | 3. Follow the installation steps: 32 | - Choose **Evaluation Mode** for simplicity. 33 | - Configure the hostname and assign a static IP. 34 | - Complete the installation and restart the VM. 35 | 4. After reboot, the system will display a URL for the Security Onion web interface. 36 | 37 | #### Step 2: Access the Security Onion Web Interface 38 | 1. Open a browser and navigate to the URL provided during the installation. 39 | 2. Log in using the admin credentials created during setup. 40 | 41 | --- 42 | 43 | ### Part 2: Setting Up Ubuntu Server to Collect Syslog 44 | **Objective**: Configure the Ubuntu server to forward syslog to Security Onion. 45 | 46 | #### Step 1: Install and Configure Rsyslog 47 | 1. Log in to the Ubuntu server. 48 | 2. Update the system: 49 | ```bash 50 | sudo apt update && sudo apt upgrade -y 51 | `` 52 | 3. Install rsyslog: 53 | ``` 54 | sudo apt install rsyslog -y 55 | ``` 56 | 4. Configure rsyslog to forward logs to Security Onion: 57 | ``` 58 | sudo nano /etc/rsyslog.d/50-securityonion.conf 59 | ``` 60 | - Add the following: 61 | ``` 62 | *.* @:514 63 | ``` 64 | 5. Restart the rsyslog service: 65 | ``` 66 | sudo systemctl restart rsyslog 67 | ``` 68 | #### Step 2: Verify Logs in Security Onion 69 | 1. In the Security Onion web interface, navigate to Kibana. 70 | 2. Search for logs from the Ubuntu server using its hostname or IP address. 71 | --- 72 | ### Part 3: Setting Up Windows to Collect Events 73 | Objective: Configure a Windows machine to forward event logs to Security Onion. 74 | 75 | #### Step 1: Download and Install Winlogbeat 76 | 1. Download Winlogbeat on the Windows machine. 77 | 2. Extract the Winlogbeat package and navigate to the extracted folder. 78 | #### Step 2: Configure Winlogbeat 79 | 1. Open winlogbeat.yml in a text editor. 80 | 2. Configure the output to forward logs to Security Onion: 81 | ``` 82 | output: 83 | logstash: 84 | hosts: [":5044"] 85 | ``` 86 | 3. Define the event logs to collect: 87 | ``` 88 | winlogbeat.event_logs: 89 | - name: Application 90 | - name: Security 91 | - name: System 92 | ``` 93 | #### Step 3: Install and Start Winlogbeat 94 | 1. Install Winlogbeat as a service: 95 | ``` 96 | .\install-service-winlogbeat.ps1 97 | ``` 98 | 2. Start the service: 99 | ``` 100 | Start-Service winlogbeat 101 | ``` 102 | #### Step 4: Verify Logs in Security Onion 103 | 1. In the Security Onion web interface, navigate to Kibana. 104 | 2. Search for logs from the Windows machine using its hostname or IP address. 105 | 106 | --- 107 | 108 | ## Conclusion 109 | This guide demonstrates how to set up Security Onion as a centralized platform for monitoring security events from an Ubuntu server and a Windows machine. With this home lab, you can explore real-world log analysis, event correlation, and threat detection to enhance your cybersecurity skills. 110 | 111 | # 🌟 Ultimate Security Analyst Course🌟 112 | 113 | Get unstuck and complete all the tasks with detailed step-by-step videos plus 114 | 115 | - **Video Tutorials**: 145+ Videos with step-by-step guide. 116 | - **13 Hands-on course**(beginner to Medium Level): Including courses on Cybersecurity 101, IT networking, Server and Cloud, Splunk for Beginners, Endpoint Investigation, Network Investigation, Security Compliance, Offensive security 117 | - **90 Days Challenge**(Medium to Advanced Level): You are expected to finish 9 Hands-on Projects in 90 Days covering tools such as Splunk, ELK, Wireshark, Velociraptor, Osquery, AWS etc 118 | - **LifeTime Access**: Once you finish the 90-Days Challenge, you still be having access to all the modules for lifetime 119 | - **Join the Community**: Access our exclusive community platform to share insights, seek advice, and learn from fellow challengers. 120 | - **Earn Recognition**: Complete the challenge within 90 days to earn a shoutout during our Hall of Fame celebration on LinkedIn and YouTube! 🏆📣 121 | 122 | Want to get started? 123 | 124 | 125 | Enroll Now 126 | 127 | -------------------------------------------------------------------------------- /Security Monitoring using Graylog.md: -------------------------------------------------------------------------------- 1 | # Setting Up a Home-Lab Using Graylog 2 | 3 | ## Objective 4 | To create a home-lab using Graylog on Ubuntu Server 22.04 for security monitoring. This lab will enable you to monitor logs and security events from another Ubuntu Server, simulating a real-world Security Information and Event Management (SIEM) setup. 5 | 6 | --- 7 | 8 | ## Requirements 9 | - **Virtualization Tool**: Choose one of the following: 10 | - [VirtualBox](https://www.virtualbox.org/) (Free and open-source) 11 | - [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) (Paid, with a free trial available) 12 | - [Proxmox VE](https://www.proxmox.com/en/proxmox-ve) (Open-source virtualization platform) 13 | 14 | - **Ubuntu Server 22.04 ISO**: [Download here](https://ubuntu.com/download/server) 15 | - Minimum hardware requirements for each VM: 16 | - 4 GB RAM 17 | - 20 GB disk space 18 | - 2 vCPUs 19 | 20 | - **Graylog**: Open-source SIEM tool. [Download here](https://www.graylog.org/products/open-source) 21 | 22 | --- 23 | 24 | ## Step-by-Step Guide 25 | 26 | ### **Part 1. Set Up the Virtual Environment** 27 | 1. Install your chosen virtualization tool. 28 | 2. Create two VMs using the Ubuntu Server 22.04 ISO: 29 | - **Graylog Server**: This will host Graylog, MongoDB, and Elasticsearch. 30 | - **Client Server**: This will send logs to Graylog for monitoring. 31 | 32 | --- 33 | 34 | ### **Part 2. Configure the Graylog Server** 35 | #### **Step 1: Update the System** 36 | Run the following commands to ensure the system is updated: 37 | ```bash 38 | sudo apt update && sudo apt upgrade -y 39 | ``` 40 | #### Step 2: Install Java 41 | Java is required for Elasticsearch: 42 | 43 | ``` 44 | sudo apt install openjdk-11-jre -y 45 | ``` 46 | #### Step 3: Install MongoDB 47 | Install MongoDB as the database for Graylog: 48 | 49 | ``` 50 | wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add - 51 | echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list 52 | sudo apt update 53 | sudo apt install -y mongodb-org 54 | sudo systemctl start mongod 55 | sudo systemctl enable mongod 56 | ``` 57 | #### Step 4: Install Elasticsearch 58 | Install Elasticsearch to index and search logs: 59 | 60 | ``` 61 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 62 | echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list 63 | sudo apt update 64 | sudo apt install elasticsearch -y 65 | sudo systemctl start elasticsearch 66 | sudo systemctl enable elasticsearch 67 | ``` 68 | #### Step 5: Install Graylog 69 | Install Graylog as the log management platform: 70 | 71 | ``` 72 | wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb 73 | sudo dpkg -i graylog-4.3-repository_latest.deb 74 | sudo apt update 75 | sudo apt install graylog-server -y 76 | ``` 77 | #### Step 6: Configure Graylog 78 | - Edit the Graylog configuration file: 79 | 80 | ``` 81 | sudo nano /etc/graylog/server/server.conf 82 | ``` 83 | - Set `password_secret` and `root_password_sha2`: 84 | Generate the values using: 85 | ``` 86 | pwgen -N 1 -s 96 87 | echo -n yourpassword | sha256sum 88 | ``` 89 | - Add the values to the configuration file. 90 | Restart Graylog: 91 | 92 | ``` 93 | sudo systemctl restart graylog-server 94 | ``` 95 | ### **Part 3. Configure the Client Server** 96 | ####Step 1: Update the System 97 | Run the following commands: 98 | 99 | ``` 100 | sudo apt update && sudo apt upgrade -y 101 | ``` 102 | #### Step 2: Install Rsyslog 103 | Install Rsyslog for log forwarding: 104 | 105 | ``` 106 | sudo apt install rsyslog -y 107 | ``` 108 | #### Step 3: Configure Log Forwarding to Graylog 109 | - Edit the Rsyslog configuration file: 110 | 111 | ``` 112 | sudo nano /etc/rsyslog.conf 113 | ``` 114 | - Add the following line to forward logs to the Graylog server: 115 | ``` 116 | *.* @:514 117 | ``` 118 | - Restart Rsyslog: 119 | 120 | ``` 121 | sudo systemctl restart rsyslog 122 | ``` 123 | ### **4. Access the Graylog Web Interface** 124 | 1. Open a browser and navigate to http://:9000. 125 | 2. Log in with the credentials configured earlier. 126 | 3. Add an input source (e.g., Syslog UDP) in the Graylog interface to start receiving logs. 127 | 128 | ## Conclusion 129 | This Graylog-based home-lab provides a practical environment to monitor and analyze security logs from an Ubuntu client server. By following this guide, you can enhance your skills in security monitoring and log management, laying a foundation for advanced SIEM and SOC tasks. 130 | 131 | # 🌟 Ultimate Security Analyst Course🌟 132 | 133 | Get unstuck and complete all the tasks with detailed step-by-step videos plus 134 | 135 | - **Video Tutorials**: 145+ Videos with step-by-step guide. 136 | - **13 Hands-on course**(beginner to Medium Level): Including courses on Cybersecurity 101, IT networking, Server and Cloud, Splunk for Beginners, Endpoint Investigation, Network Investigation, Security Compliance, Offensive security 137 | - **90 Days Challenge**(Medium to Advanced Level): You are expected to finish 9 Hands-on Projects in 90 Days covering tools such as Splunk, ELK, Wireshark, Velociraptor, Osquery, AWS etc 138 | - **LifeTime Access**: Once you finish the 90-Days Challenge, you still be having access to all the modules for lifetime 139 | - **Join the Community**: Access our exclusive community platform to share insights, seek advice, and learn from fellow challengers. 140 | - **Earn Recognition**: Complete the challenge within 90 days to earn a shoutout during our Hall of Fame celebration on LinkedIn and YouTube! 🏆📣 141 | 142 | Want to get started? 143 | 144 | 145 | Enroll Now 146 | 147 | -------------------------------------------------------------------------------- /Log Monitoring using Datadog.md: -------------------------------------------------------------------------------- 1 | # Home-Lab Setup: Log Monitoring using Datadog 2 | 3 | ## Objective 4 | To set up a home lab for centralized log monitoring using **Datadog**, configured to collect logs from an **Ubuntu Server** and a **Windows machine**. This setup will allow for real-time log aggregation, analysis, and visualization. 5 | 6 | --- 7 | 8 | ## Home-Lab Setup 9 | 10 | 11 | --- 12 | 13 | ## Requirements 14 | - **Virtualization Platform**: 15 | - [VirtualBox](https://www.virtualbox.org/) 16 | - [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) 17 | - [Proxmox VE](https://www.proxmox.com/en/proxmox-ve) 18 | - **Ubuntu Server 22.04 ISO**: [Download here](https://releases.ubuntu.com/22.04/) 19 | - **Windows ISO**: [Download here](https://www.microsoft.com/en-us/software-download/windows10) 20 | - **Datadog Agent**: [Official website](https://www.datadoghq.com/) 21 | - **Datadog Account**: [Sign up here](https://app.datadoghq.com/signup) 22 | - Stable internet connection. 23 | 24 | --- 25 | 26 | ## Step-by-Step Guide 27 | --- 28 | ### Part 1: Setting Up Datadog 29 | **Objective**: Create a Datadog account and configure a Datadog Agent to collect logs. 30 | 31 | #### Step 1: Create a Datadog Account 32 | 1. Go to the [Datadog website](https://app.datadoghq.com/signup). 33 | 2. Sign up with an email address or login using an existing account. 34 | 3. Obtain your **API Key** from the Datadog dashboard: 35 | - Navigate to **Integrations > APIs**. 36 | - Copy the generated API key for use in agent configuration. 37 | 38 | --- 39 | 40 | ### Part 2: Setting Up Ubuntu Server 41 | **Objective**: Install the Datadog Agent on an Ubuntu machine to forward system logs to Datadog. 42 | 43 | #### Step 1: Set Up the Ubuntu Virtual Machine 44 | 1. Download the Ubuntu Server 22.04 ISO. 45 | 2. Create a new virtual machine using your preferred virtualization platform: 46 | - Assign 2 CPU cores, 4 GB RAM, and 20 GB disk space. 47 | - Mount the Ubuntu ISO and install Ubuntu. 48 | 3. Configure a static IP address for network stability. 49 | 50 | #### Step 2: Install the Datadog Agent on Ubuntu 51 | 1. Update system packages: 52 | ```bash 53 | sudo apt update && sudo apt upgrade -y 54 | ``` 55 | 2. Install the Datadog Agent: 56 | ``` 57 | DD_API_KEY= bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script.sh)" 58 | ``` 59 | Replace with the API key copied earlier. 60 | 3. Enable log collection: 61 | - Edit the agent configuration file: 62 | ``` 63 | sudo nano /etc/datadog-agent/datadog.yaml 64 | ``` 65 | - Add or update the following lines: 66 | ``` 67 | logs_enabled: true 68 | ``` 69 | - Save and close the file. 70 | 4. Configure log sources: 71 | - Create a configuration file for log sources: 72 | ``` 73 | sudo nano /etc/datadog-agent/conf.d/system_logs.d/conf.yaml 74 | ``` 75 | - Add the following configuration: 76 | ``` 77 | logs: 78 | - type: file 79 | path: /var/log/syslog 80 | service: ubuntu 81 | source: syslog 82 | ``` 83 | - Save and close the file. 84 | 5. Restart the Datadog Agent: 85 | bash 86 | Copy code 87 | sudo systemctl restart datadog-agent 88 | --- 89 | ### Part 3: Setting Up Windows Machine 90 | Objective: Install the Datadog Agent on a Windows machine to forward logs to Datadog. 91 | 92 | #### Step 1: Set Up the Windows Virtual Machine 93 | 1. Install Windows in a virtual machine using your preferred platform. 94 | 2. Configure networking and install updates. 95 | #### Step 2: Install the Datadog Agent on Windows 96 | 1. Download the Datadog Agent installer for Windows from the Datadog website. 97 | 2. Run the installer and follow the prompts: 98 | - Enter the API Key during installation. 99 | - Enable log collection when prompted. 100 | 3. Configure log sources: 101 | - Open the Datadog Agent Manager from the system tray. 102 | - Navigate to the Log Collection tab. 103 | - Add event log sources: 104 | - Enable logs for `Application`, `Security`, and `System`. 105 | - Apply and save the configuration. 106 | 107 | --- 108 | ### Part 4: Viewing Logs in Datadog 109 | Objective: Verify and visualize logs from Ubuntu and Windows systems in Datadog. 110 | 111 | #### Step 1: Access Logs in Datadog 112 | 1. Log in to your Datadog dashboard. 113 | 2. Navigate to Logs > Live Tail. 114 | 3. Filter logs by source or service (e.g., `ubuntu` or `syslog`). 115 | #### Step 2: Create Dashboards 116 | 1. Navigate to Dashboards and create a new dashboard. 117 | 2. Add widgets for: 118 | - Log streams filtered by source or severity. 119 | - Log analytics showing trends over time. 120 | 3. Save the dashboard for continuous monitoring. 121 | --- 122 | ## Conclusion 123 | This guide demonstrates how to set up a home lab using Datadog for centralized log monitoring. By aggregating logs from both Ubuntu and Windows machines, you gain real-time insights into system performance and security, enabling better decision-making and proactive responses to potential issues. 124 | 125 | # 🌟 Ultimate Security Analyst Course🌟 126 | 127 | Get unstuck and complete all the tasks with detailed step-by-step videos plus 128 | 129 | - **Video Tutorials**: 145+ Videos with step-by-step guide. 130 | - **13 Hands-on course**(beginner to Medium Level): Including courses on Cybersecurity 101, IT networking, Server and Cloud, Splunk for Beginners, Endpoint Investigation, Network Investigation, Security Compliance, Offensive security 131 | - **90 Days Challenge**(Medium to Advanced Level): You are expected to finish 9 Hands-on Projects in 90 Days covering tools such as Splunk, ELK, Wireshark, Velociraptor, Osquery, AWS etc 132 | - **LifeTime Access**: Once you finish the 90-Days Challenge, you still be having access to all the modules for lifetime 133 | - **Join the Community**: Access our exclusive community platform to share insights, seek advice, and learn from fellow challengers. 134 | - **Earn Recognition**: Complete the challenge within 90 days to earn a shoutout during our Hall of Fame celebration on LinkedIn and YouTube! 🏆📣 135 | 136 | Want to get started? 137 | 138 | 139 | Enroll Now 140 | 141 | -------------------------------------------------------------------------------- /Security Monitoring using ManageEngine Log360.md: -------------------------------------------------------------------------------- 1 | # Home-Lab Setup: Security Monitoring Using ManageEngine Log360 2 | 3 | ## Objective 4 | To build a home lab for security monitoring using **ManageEngine Log360**, a comprehensive log management and security monitoring tool. This setup includes configuring an Ubuntu server and a Windows machine to send security-related logs to Log360 for centralized analysis and monitoring. 5 | 6 | --- 7 | 8 | ## Home-Lab Setup 9 | 10 | --- 11 | 12 | ## Requirements 13 | - **Virtualization Platform**: 14 | - [VirtualBox](https://www.virtualbox.org/) 15 | - [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) 16 | - [Proxmox VE](https://www.proxmox.com/en/proxmox-ve) 17 | - **Ubuntu Server 22.04 ISO**: [Download here](https://releases.ubuntu.com/22.04/) 18 | - **Windows ISO**: [Download here](https://www.microsoft.com/en-us/software-download/windows10) 19 | - **ManageEngine Log360**: [Download here](https://www.manageengine.com/log-management/download.html) 20 | - Stable internet connection. 21 | 22 | --- 23 | 24 | ## Step-by-Step Guide 25 | 26 | ### Part 1: Setting Up ManageEngine Log360 27 | **Objective**: Install and configure ManageEngine Log360 as the central security monitoring platform. 28 | 29 | #### Step 1: Set Up a Windows VM for Log360 30 | 1. Download the Windows ISO and create a new VM using your virtualization platform: 31 | - Assign 2 CPUs, 4 GB RAM, and 40 GB of disk space. 32 | - Install Windows and configure the VM with a static IP address. 33 | 2. Install necessary Windows updates and ensure network connectivity. 34 | 35 | #### Step 2: Install ManageEngine Log360 36 | 1. Download the Log360 installer from the [official website](https://www.manageengine.com/log-management/download.html). 37 | 2. Install Log360 on the Windows VM: 38 | - Run the installer and follow the setup wizard. 39 | - Choose default settings or customize the installation directory if needed. 40 | 3. Start the ManageEngine Log360 service: 41 | - Open **Services** and ensure the **ManageEngine Log360** service is running. 42 | 43 | #### Step 3: Configure Log360 44 | 1. Access the Log360 web interface: 45 | - Open a browser and navigate to `http://:8080`. 46 | - Log in with the default admin credentials and change the password. 47 | 2. Configure the security monitoring workspace: 48 | - Navigate to **Settings > Add Log Sources**. 49 | - Add sources for Linux (Syslog) and Windows Event Logs. 50 | 51 | --- 52 | 53 | ### Part 2: Setting Up Ubuntu Server for Security Monitoring 54 | **Objective**: Configure Ubuntu to send security-related logs to Log360 using the Syslog protocol. 55 | 56 | #### Step 1: Set Up the Ubuntu VM 57 | 1. Download the Ubuntu Server 22.04 ISO. 58 | 2. Create a new VM and allocate: 59 | - 1 CPU, 2 GB RAM, and 20 GB of disk space. 60 | - Install Ubuntu Server with a static IP address. 61 | 3. Complete the initial setup (user creation, updates, etc.). 62 | 63 | #### Step 2: Enable Security Log Forwarding 64 | 1. Install and configure `rsyslog` for log forwarding: 65 | ```bash 66 | sudo apt update && sudo apt install rsyslog -y 67 | `` 68 | 2. Edit the rsyslog configuration file: 69 | ``` 70 | sudo nano /etc/rsyslog.conf 71 | ``` 72 | - Add the following line to forward logs: 73 | ``` 74 | *.* @:514 75 | ``` 76 | - Save and close the file. 77 | 3. Restart the rsyslog service: 78 | ``` 79 | sudo systemctl restart rsyslog 80 | ``` 81 | 4. Verify that security logs are forwarded: 82 | - Check the Log360 interface for incoming logs from the Ubuntu server. 83 | 84 | --- 85 | ### Part 3: Setting Up Windows Machine for Security Monitoring 86 | Objective: Configure a Windows client machine to forward event logs to Log360. 87 | 88 | #### Step 1: Set Up the Windows VM 89 | 1. Download the Windows ISO and create a new VM: 90 | - Assign 2 CPUs, 4 GB RAM, and 40 GB of disk space. 91 | - Install Windows and configure it with a static IP address. 92 | #### Step 2: Enable Windows Security Event Log Forwarding 93 | 1. Download and install the Event Log Forwarder tool (available with Log360). 94 | 2. Configure the Event Log Forwarder: 95 | - Set the Log360 server's IP address and port (default: 514). 96 | - Specify which event logs to monitor: 97 | - Security for login attempts and access control. 98 | - System for kernel-level alerts. 99 | - Application for application-specific security logs. 100 | 3. Start the forwarding service to send event logs to Log360. 101 | #### Step 3: Verify Logs 102 | 1. Open the Log360 dashboard and confirm that logs from the Windows machine are being received. 103 | 2. Navigate to Security Logs > Windows Event Logs to analyze incoming security events. 104 | 105 | --- 106 | ### Part 4: Analyzing and Monitoring Logs in Log360 107 | Objective: Leverage Log360's tools to monitor security events, generate alerts, and create reports. 108 | 109 | #### Step 1: Configure Security Dashboards 110 | 1. Navigate to Dashboard > Add New Widget. 111 | 2. Add widgets for: 112 | - Real-time log monitoring. 113 | - Event severity analysis (e.g., Critical, Warning, Informational). 114 | - Authentication success/failure trends. 115 | #### Step 2: Set Up Security Alerts 116 | 1. Go to Alerts > Create Alert. 117 | 2. Define alert triggers: 118 | - Unauthorized login attempts. 119 | - Sudden spike in error logs. 120 | - System-level warnings. 121 | 3. Enable email or SMS notifications for critical alerts. 122 | #### Step 3: Generate Compliance and Security Reports 123 | 1. Navigate to Reports > Security Reports. 124 | 2. Generate reports such as: 125 | - User login activity. 126 | - Privilege escalation attempts. 127 | - Failed authentication attempts. 128 | #### Step 4: Enable Threat Detection 129 | 1. Use the Threat Intelligence Module in Log360. 130 | 2. Correlate logs to identify potential security threats (e.g., brute force attacks). 131 | 3. Customize rules for specific use cases or compliance requirements. 132 | 133 | ### Conclusion 134 | This home lab demonstrates the setup of ManageEngine Log360 for centralized security monitoring. By integrating Ubuntu and Windows machines, you can monitor security events, generate actionable insights, and respond to potential threats effectively. 135 | 136 | With ManageEngine Log360, your home lab becomes a powerful tool for learning security monitoring and improving your cybersecurity skills! 137 | 138 | # 🌟 Ultimate Security Analyst Course🌟 139 | 140 | Get unstuck and complete all the tasks with detailed step-by-step videos plus 141 | 142 | - **Video Tutorials**: 145+ Videos with step-by-step guide. 143 | - **13 Hands-on course**(beginner to Medium Level): Including courses on Cybersecurity 101, IT networking, Server and Cloud, Splunk for Beginners, Endpoint Investigation, Network Investigation, Security Compliance, Offensive security 144 | - **90 Days Challenge**(Medium to Advanced Level): You are expected to finish 9 Hands-on Projects in 90 Days covering tools such as Splunk, ELK, Wireshark, Velociraptor, Osquery, AWS etc 145 | - **LifeTime Access**: Once you finish the 90-Days Challenge, you still be having access to all the modules for lifetime 146 | - **Join the Community**: Access our exclusive community platform to share insights, seek advice, and learn from fellow challengers. 147 | - **Earn Recognition**: Complete the challenge within 90 days to earn a shoutout during our Hall of Fame celebration on LinkedIn and YouTube! 🏆📣 148 | 149 | Want to get started? 150 | 151 | 152 | Enroll Now 153 | 154 | -------------------------------------------------------------------------------- /Security Monitoring using Grafana and Prometheus.md: -------------------------------------------------------------------------------- 1 | # Home-Lab Setup: Grafana and Prometheus for Security Monitoring 2 | 3 | ## Objective 4 | To create a home lab using Grafana and Prometheus for monitoring the security of an Ubuntu Server 22.04 and a Windows machine. Additionally, configure both systems to send logs for centralized monitoring. 5 | 6 | --- 7 | 8 | ## Home-Lab Setup 9 | This lab is designed can be designed on top of Vmware workstation, Virtualbox or Proxmox. 10 | ![Blue and Gold Elegant Minimalist Jewelry Promotions Business Floor Decal (150 x 120 mm) (2)](https://github.com/user-attachments/assets/f93c0cda-6551-44ce-b474-03bb955e5855) 11 | 12 | --- 13 | 14 | ## Requirements 15 | - **Virtualization Platform**: 16 | - [VirtualBox](https://www.virtualbox.org/) 17 | - [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) 18 | - [Proxmox VE](https://www.proxmox.com/en/proxmox-ve) 19 | - **Ubuntu Server 22.04 ISO**: [Download here](https://releases.ubuntu.com/22.04/) 20 | - **Windows ISO**: [Download here](https://www.microsoft.com/en-us/software-download/windows10) 21 | - **Grafana**: [Official website](https://grafana.com/) 22 | - **Prometheus**: [Official website](https://prometheus.io/) 23 | - **Promtail (for syslog forwarding)**: [Loki Documentation](https://grafana.com/docs/loki/latest/clients/promtail/) 24 | - **Loki**: [Official website](https://grafana.com/oss/loki/) 25 | - **Winlogbeat**: [Official website](https://www.elastic.co/beats/winlogbeat) 26 | - Stable internet connection. 27 | 28 | --- 29 | 30 | ## Step-by-Step Guide 31 | 32 | ### Part 1: Grafana and Prometheus Setup 33 | **Objective**: Set up Grafana and Prometheus on an Ubuntu server to monitor system metrics and provide a centralized visualization platform. 34 | 35 | #### Step 1: Set Up the Virtual Machine 36 | 1. Download the Ubuntu Server 22.04 ISO. 37 | 2. Choose a virtualization platform (VirtualBox, VMware, or Proxmox). 38 | 3. Create a new virtual machine: 39 | - Assign at least 2 CPU cores and 4 GB RAM. 40 | - Allocate 20 GB disk space. 41 | - Mount the Ubuntu ISO and install Ubuntu Server 22.04. 42 | 4. During the installation, set up a hostname, user account, and static IP. 43 | 44 | #### Step 2: Install Prometheus 45 | 1. Update the system packages: 46 | ```bash 47 | sudo apt update && sudo apt upgrade -y 48 | `` 49 | 2. Download and install Prometheus: 50 | ``` 51 | wget https://github.com/prometheus/prometheus/releases/download/v2.44.0/prometheus-2.44.0.linux-amd64.tar.gz 52 | tar -xvf prometheus-2.44.0.linux-amd64.tar.gz 53 | sudo mv prometheus-2.44.0.linux-amd64 /usr/local/prometheus 54 | ``` 55 | 3. Configure Prometheus: 56 | ``` 57 | sudo nano /usr/local/prometheus/prometheus.yml 58 | ``` 59 | - Add the following: 60 | ``` 61 | global: 62 | scrape_interval: 15s 63 | scrape_configs: 64 | - job_name: 'ubuntu' 65 | static_configs: 66 | - targets: ['localhost:9090'] 67 | ``` 68 | 4. Start Prometheus: 69 | ``` 70 | cd /usr/local/prometheus 71 | ./prometheus --config.file=prometheus.yml & 72 | ``` 73 | #### Step 3: Install Grafana 74 | 1. Download and install Grafana: 75 | ``` 76 | wget https://dl.grafana.com/oss/release/grafana-9.6.4_amd64.deb 77 | sudo dpkg -i grafana-9.6.4_amd64.deb 78 | ``` 79 | 2. Start Grafana: 80 | ``` 81 | sudo systemctl enable grafana-server 82 | sudo systemctl start grafana-server 83 | ``` 84 | 3. Access Grafana: 85 | - Go to http://:3000. 86 | - Login with default credentials (admin/admin) and set a new password. 87 | 88 | ### Part 2: Setting Up Ubuntu Server 89 | Objective: Configure Ubuntu Server to forward system logs to Grafana using Loki and Promtail. 90 | 91 | #### Step 1: Install Loki and Promtail 92 | 1. Install Loki: 93 | ``` 94 | wget https://github.com/grafana/loki/releases/download/v2.10.0/loki-linux-amd64.zip 95 | unzip loki-linux-amd64.zip 96 | sudo mv loki-linux-amd64 /usr/local/bin/loki 97 | ``` 98 | 2. Configure Loki: 99 | ``` 100 | sudo nano /etc/loki-config.yml 101 | ``` 102 | - Add the following: 103 | ``` 104 | auth_enabled: false 105 | server: 106 | http_listen_port: 3100 107 | ingester: 108 | lifecycler: 109 | ring: 110 | kvstore: 111 | store: inmemory 112 | schema_config: 113 | configs: 114 | - from: 2023-01-01 115 | store: boltdb-shipper 116 | object_store: filesystem 117 | schema: v11 118 | index: 119 | prefix: index_ 120 | period: 24h 121 | storage_config: 122 | boltdb_shipper: 123 | active_index_directory: /tmp/loki/boltdb-shipper-active 124 | shared_store: filesystem 125 | cache_location: /tmp/loki/boltdb-shipper-cache 126 | filesystem: 127 | directory: /tmp/loki/chunks 128 | ``` 129 | 3. Start Loki: 130 | ``` 131 | loki -config.file=/etc/loki-config.yml & 132 | ``` 133 | 4. Install Promtail: 134 | ``` 135 | wget https://github.com/grafana/loki/releases/download/v2.10.0/promtail-linux-amd64.zip 136 | unzip promtail-linux-amd64.zip 137 | sudo mv promtail-linux-amd64 /usr/local/bin/promtail 138 | ``` 139 | 5. Configure Promtail: 140 | ``` 141 | sudo nano /etc/promtail-config.yml 142 | ``` 143 | - Add the following: 144 | ``` 145 | server: 146 | http_listen_port: 9080 147 | clients: 148 | - url: http://localhost:3100/loki/api/v1/push 149 | positions: 150 | filename: /tmp/positions.yaml 151 | scrape_configs: 152 | - job_name: 'syslog' 153 | static_configs: 154 | - targets: 155 | - localhost 156 | labels: 157 | job: 'syslog' 158 | __path__: /var/log/syslog 159 | ``` 160 | 6. Start Promtail: 161 | ``` 162 | promtail -config.file=/etc/promtail-config.yml & 163 | ``` 164 | ### Part 3: Setting Up Windows Machine 165 | Objective: Configure a Windows machine to send event logs to Grafana using Loki and Winlogbeat. 166 | 167 | #### Step 1: Install Winlogbeat 168 | 1. Download Winlogbeat. 169 | 2. Extract the files and navigate to the directory. 170 | #### Step 2: Configure Winlogbeat 171 | 1. Open winlogbeat.yml in a text editor. 172 | 2. Configure the output to Loki: 173 | ``` 174 | output: 175 | loki: 176 | hosts: ["http://:3100"] 177 | ``` 178 | 3. Add log paths for monitoring: 179 | ``` 180 | winlogbeat.event_logs: 181 | - name: Application 182 | - name: Security 183 | - name: System 184 | ``` 185 | #### Step 3: Run Winlogbeat 186 | 1. Install Winlogbeat as a service: 187 | ``` 188 | .\install-service-winlogbeat.ps1 189 | ``` 190 | 2. Start the service: 191 | ``` 192 | Start-Service winlogbeat 193 | ``` 194 | #### Step 4: Verify Logs in Grafana 195 | 1. Add Loki as a data source in Grafana. 196 | 2. Create dashboards to visualize logs from Ubuntu and Windows systems. 197 | 198 | ## Conclusion 199 | This guide demonstrates setting up a home lab with Grafana, Prometheus, Loki, Promtail, and Winlogbeat to monitor Ubuntu and Windows machines. By centralizing logs and metrics, you can effectively analyze and enhance your system's security. 200 | 201 | # 🌟 Ultimate Security Analyst Course🌟 202 | 203 | Get unstuck and complete all the tasks with detailed step-by-step videos plus 204 | 205 | - **Video Tutorials**: 145+ Videos with step-by-step guide. 206 | - **13 Hands-on course**(beginner to Medium Level): Including courses on Cybersecurity 101, IT networking, Server and Cloud, Splunk for Beginners, Endpoint Investigation, Network Investigation, Security Compliance, Offensive security 207 | - **90 Days Challenge**(Medium to Advanced Level): You are expected to finish 9 Hands-on Projects in 90 Days covering tools such as Splunk, ELK, Wireshark, Velociraptor, Osquery, AWS etc 208 | - **LifeTime Access**: Once you finish the 90-Days Challenge, you still be having access to all the modules for lifetime 209 | - **Join the Community**: Access our exclusive community platform to share insights, seek advice, and learn from fellow challengers. 210 | - **Earn Recognition**: Complete the challenge within 90 days to earn a shoutout during our Hall of Fame celebration on LinkedIn and YouTube! 🏆📣 211 | 212 | Want to get started? 213 | 214 | 215 | Enroll Now 216 | 217 | -------------------------------------------------------------------------------- /Security Monitoring using Splunk.md: -------------------------------------------------------------------------------- 1 | # **Security Monitoring using Splunk** 2 | 3 | --- 4 | 5 | ## **Objective** 6 | 7 | Set up a Splunk Home Lab on Ubuntu Server to centralize log collection and analysis. Configure the Splunk Universal Forwarder on an Ubuntu machine to forward syslogs and application logs. Enable Windows Event Log monitoring on a Windows machine and forward logs to the Splunk server for comprehensive monitoring. 8 | 9 | 10 | --- 11 | 12 | ## **Home-Lab Set up** 13 | The home-lab set up is designed with VMware workstation. 14 | ![Blue and Gold Elegant Minimalist Jewelry Promotions Business Floor Decal (150 x 120 mm)](https://github.com/user-attachments/assets/b1cc0dbb-be1f-46d2-a2c7-c4d83d5aa9c9) 15 | 16 | 17 | --- 18 | 19 | 20 | ## **Requirements** 21 | 1. **Virtualization Platform:** 22 | - [VirtualBox](https://www.virtualbox.org/) (Free) 23 | - [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) (Free) 24 | - [Proxmox VE](https://www.proxmox.com/en/) (Free and Open Source) 25 | 26 | 2. **Resources:** 27 | - **Ubuntu Server ISO**: [Ubuntu 22.04](https://ubuntu.com/download/server) 28 | - **Windows ISO**: [Windows Server Evaluation](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server) 29 | - **Splunk Software**: 30 | - [Splunk Enterprise](https://www.splunk.com/en_us/download/splunk-enterprise.html) 31 | - [Splunk Universal Forwarder](https://www.splunk.com/en_us/download/universal-forwarder.html) 32 | - **Minimum Hardware Requirements for VMs**: 33 | - Splunk Server: 34 | - 2 CPU cores 35 | - 4 GB RAM (8 GB recommended) 36 | - 40 GB disk space 37 | - Linux Server: 38 | - 1 CPU core 39 | - 2 GB RAM 40 | - 20 GB disk space 41 | - Windows Machine: 42 | - 2 CPU cores 43 | - 4 GB RAM 44 | - 40 GB disk space 45 | 46 | --- 47 | 48 | ## **Step-by-Step Guide** 49 | 50 | ### **Part 1: Install Splunk on Ubuntu Server (Main Splunk Server)** 51 | 52 | #### **Step 1: Install Virtualization Platform** 53 | 1. Download and install your preferred virtualization platform: 54 | - [VirtualBox Installation Guide](https://www.virtualbox.org/manual/ch02.html) 55 | - [VMware Workstation Pro Guide](https://www.vmware.com/products/workstation-pro/resources.html) 56 | - [Proxmox VE Installation Guide](https://pve.proxmox.com/wiki/Install_Proxmox_VE) 57 | 58 | 59 | #### **Step 3: Update Ubuntu on Both VMs** 60 | 1. After installation, log in to both servers and update the packages: 61 | ```bash 62 | sudo apt update && sudo apt upgrade -y 63 | ``` 64 | #### **Step 4: Install Splunk on Main Server** 65 | 1. Download and install Splunk Enterprise: 66 | ``` 67 | wget -O splunk-9.4.0-6b4ebe426ca6-linux-amd64.deb "https://download.splunk.com/products/splunk/releases/9.4.0/linux/splunk-9.4.0-6b4ebe426ca6-linux-amd64.deb" 68 | sudo dpkg -i splunk-9.4.0-6b4ebe426ca6-linux-amd64.deb 69 | cd /opt/splunk/bin 70 | sudo ./splunk start 71 | ``` 72 | 2. Make splunk accesible via internet (optional) 73 | ``` 74 | nano /opt/splunk/etc/splunk-launch.conf 75 | SPLUNK_BINDIP=0.0.0.0 //add this 76 | ``` 77 | 3. Add port 8000 in firewall 78 | ``` 79 | ufw allow 8000/tcp 80 | ``` 81 | 4. Access Splunk via the web interface: 82 | ``` 83 | http://:8000 84 | ``` 85 | ### Part 2: Configure Syslog Collection from the Second Ubuntu Server 86 | #### Step 6: Install Splunk Universal Forwarder on Syslog Server 87 | 1. Download Splunk Universal Forwarder: 88 | ``` 89 | wget -O splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.deb "https://download.splunk.com/products/universalforwarder/releases/9.4.0/linux/splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.deb" 90 | ``` 91 | 2. Install the Universal Forwarder: 92 | ``` 93 | sudo dpkg -i splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.deb 94 | ``` 95 | 3. Start the Splunk Universal Forwarder and accept the license: 96 | ``` 97 | sudo /opt/splunkforwarder/bin/splunk start --accept-license 98 | sudo /opt/splunkforwarder/bin/splunk enable boot-start 99 | ``` 100 | 4. Configure Splunk Forwarder to send logs to the Splunk server: 101 | ``` 102 | sudo /opt/splunkforwarder/bin/splunk add forward-server :9997 -auth admin: 103 | ``` 104 | #### Step 7: Configure Syslog Monitoring on Syslog Server 105 | 1. Create a directory to store syslog files: 106 | ``` 107 | sudo mkdir -p /var/log/syslog 108 | ``` 109 | 2. Configure rsyslog to output logs to /var/log/syslog. Edit the rsyslog configuration file: 110 | ``` 111 | sudo nano /etc/rsyslog.conf 112 | ``` 113 | - Uncomment or add: 114 | ``` 115 | *.* /var/log/syslog 116 | ``` 117 | - Restart rsyslog: 118 | ``` 119 | sudo systemctl restart rsyslog 120 | ``` 121 | #### Step 8: Add Syslog Directory to Splunk Universal Forwarder Inputs 122 | 1. Add the syslog directory as a monitored input: 123 | ``` 124 | sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/syslog 125 | ``` 126 | #### Step 9: Configure Splunk Server to Receive Logs 127 | 1. On the Splunk server, enable receiving: 128 | ``` 129 | sudo /opt/splunk/bin/splunk enable listen 9997 130 | ``` 131 | 2. Verify the forwarder connection: 132 | ``` 133 | sudo /opt/splunk/bin/splunk list forward-server 134 | ``` 135 | #### Step 10: Search for Syslogs in Splunk 136 | 1. Access Splunk via the web interface: 137 | ``` 138 | http://:8000 139 | ``` 140 | 2. Navigate to Search & Reporting and search for incoming logs using: 141 | ``` 142 | index=_internal OR index=main 143 | ``` 144 | 145 | ### Part 3: Install Splunk Universal Forwarder on a Windows Machine 146 | #### Step 1: Download and Install Splunk Universal Forwarder 147 | Download the Splunk Universal Forwarder for Windows: 148 | Splunk UF for Windows 149 | Run the installer and follow the setup wizard: 150 | Accept the license agreement. 151 | Choose the installation directory. 152 | Provide the Splunk server IP and receiving port (e.g., 9997). 153 | #### Step 2: Add Monitored Inputs on Windows 154 | Launch the Splunk Universal Forwarder Configuration utility. 155 | Add directories or files to monitor (e.g., Event Logs, system logs). 156 | #### Step 3: Verify Forwarding to Splunk 157 | - On the Splunk server, verify that the Windows machine is forwarding logs: 158 | ``` 159 | sudo /opt/splunk/bin/splunk list forward-server 160 | ``` 161 | - Search for Windows logs in Splunk's Search & Reporting app: 162 | ``` 163 | index=windows_logs 164 | ``` 165 | 166 | ## Conclusion 167 | This setup allows you to analyze syslogs from a second Ubuntu server using Splunk's powerful interface. By following this guide, you now have a functional home lab for practicing security investigations, monitoring, and analysis. Experiment with different log sources and enrich your skills further! 168 | 169 | # 🌟 Ultimate Security Analyst Course🌟 170 | 171 | Get unstuck and complete all the tasks with detailed step-by-step videos plus 172 | 173 | - **Video Tutorials**: 145+ Videos with step-by-step guide. 174 | - **13 Hands-on course**(beginner to Medium Level): Including courses on Cybersecurity 101, IT networking, Server and Cloud, Splunk for Beginners, Endpoint Investigation, Network Investigation, Security Compliance, Offensive security 175 | - **90 Days Challenge**(Medium to Advanced Level): You are expected to finish 9 Hands-on Projects in 90 Days covering tools such as Splunk, ELK, Wireshark, Velociraptor, Osquery, AWS etc 176 | - **LifeTime Access**: Once you finish the 90-Days Challenge, you still be having access to all the modules for lifetime 177 | - **Join the Community**: Access our exclusive community platform to share insights, seek advice, and learn from fellow challengers. 178 | - **Earn Recognition**: Complete the challenge within 90 days to earn a shoutout during our Hall of Fame celebration on LinkedIn and YouTube! 🏆📣 179 | 180 | Want to get started? 181 | 182 | 183 | Enroll Now 184 | 185 | --------------------------------------------------------------------------------