A personal Security Operations Center (SOC) lab environment, designed to showcase skills relevant to cybersecurity and SOC analyst roles. This lab integrates a Windows-based Splunk SIEM server with an Ubuntu Linux virtual machine acting as a log source, demonstrating log forwarding, ingestion, and analysis.
- About
- Why This Lab Matters
- What I Learned
- Features
- Architecture Diagram
- Installation
- Usage
- Screenshots
- Troubleshooting
- License
This project documents the step-by-step deployment of a SOC lab in a home environment, including key lessons learned, troubleshooting techniques, and configuration notes. It is intended as both a portfolio piece and a replicable guide for others entering cybersecurity.
This lab simulates the core responsibilities of a Tier 1 SOC Analyst by creating an environment where logs are ingested, parsed, and analyzed using Splunk. It demonstrates practical familiarity with SIEM workflows, including event correlation, dashboard creation, and alert configuration. These tasks mirror real-world SOC operations, where analysts must quickly identify suspicious activity, triage alerts, and communicate findings clearly. Completing this lab shows readiness for entry-level cybersecurity roles by replicating the investigative mindset, tooling, and documentation practices used in professional security operations centers.
I gained hands-on experience working with Splunk as a SIEM platform, including configuring data inputs, building dashboards, and analyzing logs to identify patterns and anomalies. I learned how to approach security investigations methodically, document findings in an analyst-style format, and interpret common log sources such as Windows event logs. This project strengthened my understanding of incident triage, log analysis, and the day-to-day workflow of a SOC analyst, giving me confidence in navigating SIEM tools and recognizing indicators of suspicious activity.
- Windows Splunk Enterprise SIEM
- Ubuntu Linux log source
- rsyslog configuration and forwarding
- Splunk Data Inputs for TCP/UDP syslog
- Troubleshooting logs with documented lessons learned
- Written as a reproducible, real-world home lab for SOC analyst practice
The diagram below illustrates the architecture of the SOC Analyst Home Lab environment. It shows the Windows host running Splunk Enterprise, the Ubuntu VM acting as a log source, and the flow of syslog data from the VM to Splunk.
Diagram source file included as soc-lab.drawio for editing in diagrams.net (draw.io).
The full build and configuration guide is available in SOC_Analyst_HomeLab_Documentation.md.
After following the documented steps, you can:
- Ingest Linux syslog into Splunk
- Search, filter, and create dashboards within Splunk
- Practice detection engineering and alert building
- Expand to additional data sources in the future (Windows logs, Zeek, Suricata, etc.)
| Screenshot | Description |
|---|---|
01_ubuntu_vm_overview.png |
VirtualBox view of the configured Ubuntu log source |
02_ubuntu_syslog_conf_location.png |
Example rsyslog.conf showing where to insert the Windows IP |
03_ubuntu_omfwd_enabled.png |
Confirmation of omfwd module loading in rsyslog |
04_splunk_empty_dashboard.png |
Blank Splunk dashboard, ready for future visualizations |
05_splunk_syslog_search.png |
Splunk search showing successful syslog ingestion |
06_splunk_data_inputs.png |
Splunk Data Inputs page verifying the syslog input settings |
The lab documentation includes a full troubleshooting section. Key highlights:
- Confirming Splunk inputs are listening (
netstat) - Validating rsyslog syntax and status (
systemctl status rsyslog) - Ensuring Windows Defender firewall rules allow required ports
- Checking VM network reachability (
ping,nc) - Manually testing with
logger
If syslog messages are still not reaching Splunk, also verify that the omfwd module is loaded in your rsyslog.conf or included config:
module(load="omfwd")