In this project, I built a functional SIEM environment using Splunk Enterprise and a Windows endpoint. I configured log forwarding from a Windows system to a Linux-based Splunk server and validated ingestion using internal logs and TCP connection data. This project demonstrates how security teams collect, monitor, and analyze logs to detect suspicious activity.
- Splunk Enterprise Server on Linux VM
- Windows 10 Endpoint with Splunk Universal Forwarder
- TCP-based log forwarding
- Centralized log ingestion and analysis
- Installed Splunk Enterprise on a Linux virtual machine
- Installed Splunk Universal Forwarder on a Windows 10 endpoint
- Configured the forwarder to send logs to the Splunk server over TCP
- Verified SplunkForwarder service was running on the Windows system
- Confirmed network connectivity between forwarder and server
- Validated log ingestion using internal Splunk indexes
A security analyst monitors incoming logs to ensure systems are properly reporting activity and to detect suspicious behavior across endpoints.
Use Splunk searches to validate log ingestion and identify anomalies:
- index=_internal → confirms system activity
- index=_internal TcpInputProc → verifies data input pipelines
- index=_internal "Connection from" → confirms forwarder connectivity
I performed searches within Splunk to confirm:
- Logs were successfully received from the Windows endpoint
- TCP connections were established between systems
- The forwarder was actively sending data
This process simulates how analysts verify data pipelines before relying on SIEM alerts for threat detection.
- Splunk successfully ingested logs from a remote Windows endpoint
- TCP connections confirmed reliable log forwarding
- Internal indexes provided visibility into system health and ingestion
- Forwarder service ensured continuous data flow
This project demonstrates the importance of validating log ingestion in a SIEM environment. Without reliable data collection, security teams cannot detect or respond to threats. Ensuring proper log flow is a critical first step in building an effective monitoring system.
This project showed how to deploy and configure a SIEM system from scratch. I learned how to forward logs, validate ingestion, and confirm system connectivity using Splunk searches. This experience reflects how SOC teams ensure visibility across systems before performing threat detection and analysis.
- SIEM deployment and configuration
- Log forwarding and ingestion validation
- Splunk search and query analysis
- Windows service management
- Linux system configuration
- TCP connection verification
- Virtual machine setup and administration