Last active
November 10, 2025 10:01
-
-
Save penghwee-sng/534b3533686a43be11dba92c6594b085 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Download Splunk Universal Forwarder | |
| wget -O splunkforwarder-9.3.1-0b8d769cb912-linux-2.6-amd64.deb "https://download.splunk.com/products/universalforwarder/releases/9.3.1/linux/splunkforwarder-9.3.1-0b8d769cb912-linux-2.6-amd64.deb" | |
| # Install Splunk Universal Forwarder | |
| sudo dpkg -i splunkforwarder-9.3.1-0b8d769cb912-linux-2.6-amd64.deb | |
| # Set Splunk Home Directory | |
| SPLUNK_HOME=/opt/splunkforwarder | |
| # Start Splunk Forwarder | |
| sudo $SPLUNK_HOME/bin/splunk start --accept-license --answer-yes --no-prompt | |
| # Configure deploymentclient.conf to pull configuration from deployment server | |
| sudo bash -c "cat <<EOL > $SPLUNK_HOME/etc/system/local/deploymentclient.conf | |
| [deployment-client] | |
| [target-broker:deploymentServer] | |
| targetUri = 44.254.210.60:8089 | |
| EOL" | |
| # Restart Splunk Forwarder to apply changes | |
| sudo $SPLUNK_HOME/bin/splunk stop | |
| # Enable Splunk to start at boot | |
| sudo $SPLUNK_HOME/bin/splunk enable boot-start | |
| # Restart Splunk Forwarder to apply changes | |
| sudo $SPLUNK_HOME/bin/splunk start | |
| echo "Splunk Universal Forwarder installation and configuration completed." | |
| # Install BindPlane Agent for Chronicle | |
| sudo sh -c "$(curl -fsSlL 'https://bdot.bindplane.com/v1.87.8/install_unix.sh')" install_unix.sh -e 'wss://app.bindplane.com/v1/opamp' -s '01K8FZV97JZH311YR7Z89G5S01' -v '1.87.8' -k 'configuration=linux-instance-2,install_id=30b1ae63-14c3-4d7a-90a4-2f669825663f' | |
| # Update package lists and install prerequisites | |
| sudo apt update | |
| sudo apt install -y wget apt-transport-https auditd | |
| # Download Sysmon for Linux dependencies | |
| sudo apt update | |
| sudo apt install libssl-dev -y | |
| wget https://github.com/microsoft/SysinternalsEBPF/releases/download/1.5.0.0/sysinternalsebpf_1.5.0_amd64.deb | |
| sudo DEBIAN_FRONTEND=noninteractive apt install ./sysinternalsebpf_1.5.0_amd64.deb | |
| # Install Sysmon for Linux | |
| wget https://github.com/microsoft/SysmonForLinux/releases/download/1.4.0.0/sysmonforlinux_1.4.0_amd64.deb | |
| sudo DEBIAN_FRONTEND=noninteractive apt install ./sysmonforlinux_1.4.0_amd64.deb | |
| # Download SwiftOnSecurity Sysmon configuration | |
| wget https://raw.githubusercontent.com/splunk/attack_range/refs/heads/develop/configs/SysMonLinux-CatchAll.xml -O sysmonconfig-export-new.xml | |
| # Apply the configuration | |
| sudo sysmon -accepteula -i sysmonconfig-export-new.xml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment