Friday, May 22, 2020

Splunk, 30 Bird Media, and the CompTIA CySA+ CS0-001 (Cyber Security Analyst or SOC Prep): Part 002

Good day, everyone! I was going to write a blog talking about the Splunk Fundamentals One course that I finished. Instead, I have decided to talk about how to set up your environment, with the intent of helping people be as prepared as possible to implement the training programs that I mentioned in the first posting.

From the perspective of hardware, which I will only briefly touch on here, having the right equipment is essential to your future progress. The first thing you really need, the one non-negotiable piece, is a CPU that supports virtualization in hardware. If you go to the Gibson Research Corporation website (here), you will find a program called SecurAble. It is free and, when you run it, it will show you if your CPU supports virtualization and if it is turned on in your UEFI (think modern BIOS). If virtualization is present but not on, you will have to follow your system or motherboard instructions on how to access your UEFI and change the appropriate settings.

The second most necessary component for you to have is plenty of RAM (random access memory). The RAM will be shared between your operating system, such as Windows 10, and the virtual machines that you will download from the 30Bird website or build (which you will have to do for the Splunk server...assuming you follow the suggestions in this blog). The absolute minimum amount of RAM I would recommend would be 8GB of RAM. Understand that using that amount will not be the most optimal configuration possible but, if you are patient, it will work. It is better to buy as much RAM as your system and wallet can take. One word of warning: the host operating system will use up some of the RAM (approximately 4GB for Windows 10). You must subtract that amount when figuring out how much RAM to allocate to each VM. So, if you have 8GB of RAM and use Windows 10, you will only have 4GB of RAM for the VMs to use.

The third, and last, component you will need is an adequate amount of hard drive space, preferably a drive (or drives) that have the best balance of cost, capacity, and speed. When you build your virtual machines, select the dynamic allocation option as this will only use the minimum amount of space on the drive while still letting the virtual machine's guest operating system think that it has more space available to it than it is using. For instance, if you build an Ubuntu VM, the minimum amount of spaced used is likely less than 8GB on disk. If you set it up to use a maximum of 20GB, the VM will still only take up 8GB of space on disk but the OS will "see" 20GB. As an example, I have a 2TB Seagate Solid State Hybrid Drive (SSHD) with 12 VMs, plus backups, and I still have approximately 1.5TB of free space available.

Assuming you have adequate hardware to meet at least the minimum requirements, you will also need the software in order to setup your virtual lab. I recommend using Oracle's VirtualBox  software. While not as full featured as VMware's offering, it is always free and it is more than good enough for our needs. In addition to the virtualization software, you will also want to purchase the 30Bird book and download the VMs they provide for labs. You will need to import the VMs once you have downloaded them. Since they are compressed using the zip format, you can use either the builtin compression/decompression software that typically comes in modern OSes, or you can use 7zip (from Once they are unzipped, open VirtualBox, choose the Import button, and choose the folder where the OVA file you need to import is located. Once it is done importing, you need to configure the network settings, according to the directions in the book. After that, you will be able to start the VMs, log into them, and follow the lab instructions in the book.

To set up Splunk, you will need to do a few things, in addition to what is mentioned in the previous paragraph. First, download your favorite distribution of Linux (I used Ubuntu). You can decide to download and install from an ISO file or use a prebuilt VM. It is your choice but I prefer to install from the ISO file. Once installed, launch the VM and go to the Splunk website to download the software. Follow the installation instructions.

That ends the instructions for now. In a future post I will show how to implement Splunk monitoring on the 30Bird provided VMs and how to use the lab environment to build practical experience with Splunk and any other technology that is able to be virtualized.

Until then, please be safe and thank you for reading this far.

No comments:

Post a Comment