SOC Home Lab 1 - Setting up the environment

Setting up the environment for the lab!

By Hoàng Nguyên Đạt
Posted on February 3, 2026

SOC-Home-Lab-1

Objective

The Lab project aimed to establish a controlled environment for simulating and detecting cyber attacks. The primary focus was to ingest and analyze logs within a Security Information and Event Management (SIEM) system, generating test telemetry to mimic real-world attack scenarios. This hands-on experience is set up a small virtual LAB to simulate real-world logging and monitoring scenarios, where we will collect logs from Apache web server and Fortigate firewall and send them to Splunk for storage, analysis, visualization and alerting.

Skills Learned

  • Good knowledge of how SIEM systems work and how to use them effectively.
  • Skilled in reviewing and understanding network activity logs.
  • Capable of identifying and creating patterns or signs of cyberattacks.
  • Well-developed critical thinking and problem-solving abilities for cybersecurity challenges.

Tools Used

  • Security Information and Event Management (SIEM) system for log ingestion and analysis, in this lab I use Splunk.
  • Firewall (Fortigate) to monitor, control traffic that incoming or outgoing and send to Splunk to analyse.

Steps

  1. SETUP

I created 2 Ubuntu VM on VMware and give it name is Splunk_Server and Apache_Server

Then I assgin static ip for those 2 VM like this below

image

image

Assign static IP for 2 VM

I also install Fortigate as a firewall to give more event to do

Screenshot 2024-12-23 203815

Seting up FotigateVM

After that in Splunk_Server and Apache_Server I create a user name splunk to isolate the Splunk installation with the least privilege.

useradd -s /bin/bash -d /opt/splunk -m splunk

At the Splunk_SV VM I dowload the Splunk Enterprise at splunk website.

At the Apache_SV VM I dowload the Universal Forwarder.

Extract those file and run those Splunk and create account to use Splunk.

Now to recieve logs I need to add data-input to Splunk and config it.

image

image

Because in Splunk for normal account I cant forward data throught port with 3 digit so I redirect that port to another port to bypass this.

Also in the Apache Server we need to config to be albe to send log to Splunk.

First I need dowload and enable apache2. After do that I can access the default page like this.

image

I creat some traffic to that page to get some log

image

Screenshot 2024-12-23 211121

We can see realtime traffic at the file access.log in the apache2 log folder

Screenshot 2024-12-23 211634

Screenshot 2024-12-23 211140

Now to send those log to Splunk to analyze we need to config 2 file at the Apache Server like this.

Screenshot 2024-12-23 214855

Then restart to save config.

image

  1. ANALYZE LOGS

Log in Splunk I can do a lot of actions with that logs like

  • Create Reports

Screenshot 2024-12-23 215403

  • Create Dashboards

Screenshot 2024-12-23 215740

  • Create Alerts

Screenshot 2024-12-23 221054

image

Screenshot 2024-12-23 221107

Tags: soc splunk ubuntu fortigate firewall
Share: X (Twitter) Facebook LinkedIn