Installing Splunk Enterprise, setting up indexes, deploying the Universal Forwarder on Windows, and streaming real endpoint logs into your SIEM — all from scratch.
If you're getting into cybersecurity or blue team operations, Splunk is a name you'll hear constantly. It's used by SOC analysts worldwide to collect, index, and search machine-generated data. In this lab I built a complete Splunk environment from scratch — installing the server on a Linux VM, creating a custom index, deploying the Universal Forwarder (UF) agent on a Windows 11 endpoint, and watching real Windows Event Logs stream in. Here's every step, with screenshots.
Before downloading Splunk, make sure curl and wget are installed on your Linux machine:
sudo apt install curl wget
Figure 1 — apt installs curl and wget on Debian 13. Three packages are upgraded including libcurl4t64 — the tools are ready to go.
Head to splunk.com and grab the .deb installer for your Linux architecture using wget:
wget -O splunk-10.0.2-e2d18b4767e9-linux-amd64.deb \ "https://download.splunk.com/products/splunk/releases/10.0.2/linux/splunk-10.0.2-e2d18b4767e9-linux-amd64.deb"
Figure 2 — wget attempts to download the Splunk .deb package. Notice the 404 error on the first attempt — the URL had a typo. After correcting it and running sudo dpkg -i, the install proceeds. Always double-check download links from the official Splunk site.
Once the .deb file is downloaded, install it with dpkg:
sudo dpkg -i splunk-10.2.2-80b90d638de6-linux-amd64.deb
Figure 3 — dpkg unpacks and installs Splunk 10.2.2 to /opt/splunk/. The message about Python 3.7 site-packages is harmless in a lab environment.
Fire up Splunk for the first time and accept the license:
sudo /opt/splunk/bin/splunk start --accept-license
Figure 4 — Splunk warns that running as root is deprecated and suggests using --run-as-root. We'll handle this in the next step.
The first run displays the full Splunk General Terms agreement — thousands of words of legal text scrolling through your terminal:
Figure 5 — The Splunk General Terms fill the terminal on first run. Sections like "Your Use Rights", "Third Party Providers", and "Trial Offering" scroll by. You need to agree before Splunk proceeds.
After scrolling through the license, Splunk prompts you to create an admin account — the username and password you'll use to log into the web UI:
Figure 6 — Splunk asks "Do you agree with this license? [y/n]" — type y. It then prompts for an administrator username ("Sahil" here) and a password. Characters are hidden as you type. Splunk then copies OpenLDAP config files and writes RSA keys.
In a lab environment, use the --run-as-root flag to bypass the root deprecation warning:
sudo /opt/splunk/bin/splunk start --run-as-root
Figure 7 — Running splunk status first shows "splunkd is not running". Then splunk start without the flag fails with the root deprecation message. Finally, splunk start --run-as-root kicks off the full startup sequence — ports are checked, directories are created.
Figure 8 — Splunk runs all preliminary checks: HTTP port 8000, management port 8089, appserver port, kvstore port — all open. It creates critical directories and generates new SSL certificates. All checks pass.
Figure 9 — Splunk generates self-signed certificates, starts splunkd, and waits for the web server at http://127.0.0.1:8000. The final message confirms: "The Splunk web interface is at http://Somdev:8000" — we're live.
Open a browser in the VM and navigate to http://Somdev:8000 (or your machine's IP). Log in with your admin credentials:
Figure 10 — The Splunk Enterprise home dashboard greets you with "Hello, Administrator". The left panel shows installed apps: Search & Reporting, Audit Trail, Data Management, Splunk Secure Gateway, and more.
Before deploying the Universal Forwarder on any endpoint, the Splunk server needs to listen for incoming log data. This means enabling a receiving port and creating a dedicated index to store the endpoint logs.
Go to Settings → Forwarding and Receiving to see the data pipeline options:
Figure 11 — The Splunk Settings dropdown is open showing the full menu. Under DATA on the right, "Forwarding and receiving" is visible. The Distributed Environment section also shows "Agent management" — this is where connected forwarders will appear once deployed.
Figure 12 — The Forwarding and Receiving page has two sections: "Forward data" and "Receive data". Click "Configure receiving" under Receive data to add a listening port.
Figure 13 — The Receive Data page confirms port 9997 is already Enabled. This is the default port the Universal Forwarder uses to send logs. If this page is empty for you, click "New Receiving Port" and enter 9997.
Rather than dumping everything into the default "main" index, create a dedicated one for the Windows endpoint. Go to Settings → Indexes:
Figure 14 — The Settings menu is open alongside the Receive Data page, highlighting the Indexes link under the DATA column. The Distributed Environment section prominently shows "Agent management" — this link becomes important once forwarders connect.
Figure 15 — The Indexes page lists all 16 default Splunk indexes. All are Active. Several SplunkDeploymentServerConfig indexes are visible. Click "New Index" in the top-right to add our custom one.
Figure 16 — The "Add new index" dialog opens. You can set the Name, choose Events or Metrics type, and configure storage paths. Leave paths blank to use defaults — fine for a lab.
Figure 17 — The index is named "Windows-11" — a clear, descriptive name for logs coming from our Windows 11 endpoint. Events type is selected. Click Save.
The Splunk Universal Forwarder (UF) is a lightweight agent installed on endpoints to collect and ship logs to the Splunk server. It has a tiny footprint, runs as a Windows service, and can forward Windows Event Logs, file-based logs, and performance counters.
On the Windows 11 machine, head to splunk.com → Trials & Downloads → Universal Forwarder and select the Windows 64-bit MSI package:
Figure 18 — The Splunk website confirms: "You're Downloading Splunk Universal Forwarder 10.2.2 for Windows". Useful tools on the right include a wget command-line option and a SHA512 hash to verify the installer.
Figure 19 — Windows Save dialog showing the file being saved as "splunkforwarder-10.2.2-80b90d638de6-windows-x64" (a Windows Installer Package / .msi) to the Downloads folder. Ready to run.
Double-click the downloaded .msi to launch the setup wizard. Accept the license, choose on-premises mode, and configure your Splunk server details:
Figure 20 — The UniversalForwarder Setup wizard on Windows 11. Default options: install to C:\Program Files\SplunkUniversalForwarder, run as Local System account. "An on-premises Splunk Enterprise instance" is selected. Click Next.
The wizard asks for the Deployment Server address — the IP of our Splunk server. We run ifconfig on the Linux VM to confirm it:
Figure 21 — Side-by-side: on the Linux VM, ifconfig shows the Splunk server IP is 192.168.85.129. The UF wizard asks for the Deployment Server hostname/IP and port. We enter 192.168.85.129 and port 8089 (the Splunk management port used for deployment server communication).
Figure 22 — The next wizard screen asks for the Receiving Indexer — where the forwarder will actually send log data. We enter the same Splunk server IP (192.168.85.129) with port 9997 — the receiving port we enabled in Step 7.
Figure 23 — The final wizard screen before installation: "Click Install to begin the installation." Everything is configured — click Install.
Figure 24 — Installation in progress. The Setup Wizard shows a status bar: "Please wait while the Setup Wizard installs UniversalForwarder." The forwarder is being deployed as a Windows service in the background.
Figure 25 — Success! "UniversalForwarder was successfully installed." The completion screen offers links to forwarding docs and distributed security info. Click Finish — the UF is now running as a Windows service and shipping logs immediately.
With the Universal Forwarder installed and pointed at our Splunk server, we verify the connection from the web UI and configure it to forward Windows Event Logs into our custom index.
Back on the Splunk server, go to Settings → Agent Management to see connected forwarders:
Figure 26 — The Settings menu with "Agent management" highlighted under Distributed Environment. Notice the green dot next to Administrator — Splunk is running healthily. This is April 25, the day after the server was set up, confirming the UF was deployed the following morning.
Figure 27 — The moment of truth. Agent management shows one forwarder: hostname "Slytherin" (our Windows 11 machine), Agent Type "Universal Forwarder", Version 10.2.2, Status "Ok", checked in "A minute ago". Agents Offline: 0, Agents In Error: 0. The endpoint is connected and healthy.
Go to Settings → Add Data and select "Forward — data from a Splunk forwarder":
Figure 28 — The Add Data page asks "What data do you want to send to the Splunk platform?" Categories include Cloud computing, Networking, and Operating System. At the bottom, three ingestion methods: Upload, Monitor, and Forward. We select Forward to pull data from our Universal Forwarder.
Figure 29 — Full Add Data page with all four source categories visible. The "Forward — data from a Splunk forwarder" tile is selected (blue border) — our path for endpoint log collection.
The Add Data wizard walks through: Select Forwarders → Select Source → Input Settings → Review → Done.
Figure 30 — Step 1: "Select Forwarders". New server class tab is active. Available hosts shows "WINDOWS Slytherin" in the left panel. We need to move it to Selected hosts on the right and assign a Server Class Name.
Figure 31 — Using the "Existing" server class tab. The Server Class "Windows11" is selected and List of Forwarders shows "WINDOWS | Slytherin" — our endpoint is already in this class. Click Next.
Figure 32 — Step 2: "Select Source". Left panel lists all input types: Local Event Logs, Files & Directories, TCP/UDP, Local Performance Monitoring, Scripts, and more. "Local Event Logs" is selected — right panel shows available Windows Event Log channels: Application, ForwardedEvents, Security, Setup, System.
Figure 33 — All five Windows Event Log channels (Application, ForwardedEvents, Security, Setup, System) have been moved to the "Selected Items" column. Splunk will now monitor every channel on the Slytherin endpoint and forward each new event to the server.
Step 3 is Input Settings — we route the forwarded logs into our custom "windows-11" index:
Figure 34 — The Index selector dropdown is open showing available indexes: history, main, summary, win-11, and windows-11. We select "windows-11" — the dedicated index created in Step 8. All endpoint logs will land here, separate from other Splunk data.
Step 4 is the Review screen — a final summary before committing:
Figure 35 — Review shows the complete configuration: Server Class = Windows11, Forwarder = WINDOWS | Slytherin, Input Type = Windows Event Logs, Event Logs = Application / ForwardedEvents / Security / Setup / System, Index = windows-11. Everything correct — click Submit.
Figure 36 — Done! "Local event logs input has been created successfully." All five steps are green. Splunk immediately begins collecting Windows Event Logs from the Slytherin endpoint. Options to Start Searching, Add More Data, Download Apps, or Build Dashboards are presented.
Click "Start Searching" or go to the Search & Reporting app. Run a simple SPL query to pull all events:
index=*
Figure 37 — Search & Reporting returns 4,219 events. The timeline shows activity spikes across the past month. First events visible are from the Slytherin endpoint: LogName=Setup, EventCode=2, EventType=0, ComputerName=Slytherin — sourcetype WinEventLog:Setup. Interesting fields auto-discovered on the left include ComputerName, EventCode (100+ unique values), EventType, LogName, and Message. This is live Windows telemetry flowing into your SIEM.
In this single lab session we went from a blank Linux VM to a fully functional SIEM setup:
✅ Installed Splunk Enterprise 10.2.2 on Debian 13
✅ Created a custom "windows-11" index for endpoint data
✅ Configured port 9997 to receive forwarded logs
✅ Downloaded and installed the Splunk Universal Forwarder on Windows 11
✅ Pointed the forwarder at the Splunk server (IP + ports 8089 and 9997)
✅ Configured collection of all 5 Windows Event Log channels
✅ Confirmed 4,219+ events flowing from the endpoint into Splunk
Now that logs are flowing, here's what to explore next:
🔍 Write SPL queries to detect failed logon attempts (EventCode=4625)
📊 Build a dashboard showing top EventCodes from the endpoint
🔔 Create an alert that fires when a new admin account is created
📥 Add more endpoints — repeat the Universal Forwarder install on other machines
🔗 Forward Sysmon logs for deeper process and network visibility
Happy hunting. 🔍